This document discusses advanced DNS topics including DHCP auto-updates, DNS security techniques like restricting zone transfers and using IP or crypto controls, the importance of running closed recursive resolvers to prevent amplification attacks, and other DNS uses like DNS blacklists and ENUM. Best practices for DNS include not mixing authoritative and caching servers, explicitly configuring options rather than relying on defaults, closing resolvers, documenting zone file changes, using $ORIGIN to specify the domain name, and being consistent with naming.

1. Module 10
Advanced Topics

2. DNS and DHCP
 DHCP can be configured to auto-
update (using DDNS) the forward
and reverse map zones
 Can be secured using allow-update (IP and
crypto) or update-policy (crypto only)
 Crypto may use TSIG or SIG(0)
 Used by AD extensively
 Interaction between AD and BIND9

3. DNS - DHCP

4. DNS - Security Overview

5. DNS and Security
 Local (1) is admin based
 Variety of sysadmin techniques
(permissions)
 Chroot (jail)
 DDNS (2) - inhibit or use IP/Crypto
controls
 Zone Transfers (3) - inhibit or use
IP/Crypto controls
 Resolver (4) - DNSSEC - viable
 Resolver (5) - DNSSEC - not viable

6. Open vs Closed Resolvers
 Allows anyone, anywhere to query your
resolver
 DDoS amplification attacks
 recursion yes; defaulted
 Big Deal
 ~50% of resolvers were open
 BIND9.4 partial close using allow-query-
cache {localnets; localhost;};
 Always use allow-recursion with explicit
list (use ACL clause for big lists)

7. Closing DNS - Techniques
# If authoritative servers (master/slave)
# inhibit all recursion
recursion no;
# if master/slave with caching (hybrid) or caching only (resolver)
# use an appropriate local address scope statement
# to limit recursion requests to local users
allow-recursion {192.168.2.0/24;}; // change IPs as required
# OR if the DNS server's IPs and netmasks cover the whole
# local network you can use:
allow-recursion {"localnets";”localhost”;};
# personal DNS
# hard limits on reading
listen-on {127.0.0.1;}; // or listen-on {localhost;};
listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;};
# OR
allow-recursion {"localhost";};

8. DNS - Uses
 DNSBL - DNS Blacklist
 Used for email blacklists
 Whitelists
 ENUM
 Maps E.164 (Telephone numbers)
 Generic Principle of adding some
(processed) name to a base name to get
a DNS response

9. DNS - DNSBL
$TTL 2d # default RR TTL
$ORIGIN blacklist.example.com.
IN SOA ns1.example.com. hostmaster.example.com.(
2003080800 ; se = serial number
3h ; ref = refresh
15m ; ret = update retry
3w ; ex = expiry
3h ; min = minimum
)
IN NS ns1.example.com.
IN NS ns2.example.com.
# black list records - uses origin substitution rule (order unimportant)
2.0.0.127 IN A 127.0.0.2 # allows testing
# black list RRs
135.2.168.192 IN A 127.0.0.2 # or some result code address
IN TXT "Optional-explanation for black listing"
# the above entries expands to 135.2.168.192.blacklist.example.com
...
135.17.168.192 IN A 127.0.0.2 # generic list
...

10. DNS - Other Lists
$TTL 2d # default RR TTL
$ORIGIN whitelist.example.com.
...
# white list records - using origin substitution rule
# order not important other than for local usage reasons
# normal whitelist RRs
# by convention this address should be listed to allow for external
testing
2.0.0.127 IN A 127.0.0.2
# black list RRs
135.2.168.192 IN A 127.0.0.2 # or some result code address
IN TXT "Optional-explanation for listing"
# the above entries expand to 135.2.168.192.blacklist.example.com
...
135.17.168.192 IN A 127.0.0.2 # generic list
...
# name based RRs for white listing
friend.com IN A 127.0.0.1 # all domain email addresses
IN TXT "Optional-explanation for listing"
# expands to friend.com.whitelist.example.com
joe.my.my IN A 127.0.0.2 # single address
# expands to joe.my.my.whitelist.example.com
...

11. DNS - Best Practices
 Don't mix Authoritative and caching
 practical only for big sites
 Configurations
 document config file changes
 don't assume defaults - be explicit
 Closed resolvers
 Zone files
 document changes
 use $ORIGIN (with dot!)
 Be consistent with names (w/o $ORIGIN)

12. DNS Resources
 http://www.zytrax.com/books/dns
 http://www.isc.org (BIND 9)
 www.dnssec-deployment.org
 www.dnssec.net (info portal)
 Pro DNS and BIND!

13. Quick Quiz
 Can DHCP be used to update the
reverse map file?
 Name at least two security threats.
 Why is an OPEN DNS a Bad Thing?
 Name at least one other use for
DNS.
 Why is $ORIGIN important?