SlideShare a Scribd company logo

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

Download as ODP, PDF
Utah Networxs Consultoria e Treinamento
Utah Networxs Consultoria e Treinamento

Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service. By Utah Networxs Follow - @fabioandpires Follow - @utah_networxs

Technology
1 of 45
“DNSSEC WHAT IS IT ?”
WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
SOCIAL MEDIA Follow! @fabioandpires Follow! @utah_networxs Enjoy! Utah Networxs
Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
WHAT IS DNS SERVER ? “DNS – DOMAIN NAME SYSTEM” Management system is a hierarchical name and distributed operating on two definitions: 1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs).
TYPE OF DNS ? The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machines around the world, they need to resolve domain names in the area over which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, in order to obtain answers to queries made.
DNS RFC'S The roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034 http://tools.ietf.org/html/rfc1035
THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS 13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs (Generic Top Level Domains - generic domains used worldwide) and ccTLDs (Country Code Top Level Domains - domain extensions administered by countries).
THE DNS ROOT SERVER WORD MAP
OPERATION OF DNS SERVER
WHY DNS SERVER ARE COMPROMISED? DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING; Reponse Same UDP Port QUESTION section refered true question QUERY ID fits QUESTION Section AUTHORITY and ADDITIONAL name is the same domain QUERY
Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG – Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two shares Used mainly in zone transfers (master and slave) same domain QUERY
TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system of asymmetric keys. This means that someone with a domain compatible with DNSSEC has a pair of electronic keys consisting of a private key and a public key.
DNS VS DNSSEC
PRATICE DNS SERVER #CHROOT JAIL
CHROOT BIND IN CHROOT JAIL / bin boot bin chroot boot dev dev etc etc home home lib lib mnt mnt opt opt proc proc root root sbin sbin dev tmp tmp etc bind usr usr lib var var lib named var
MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chroot root@moe:~# apt-get install debootstrap root@moe:~# cd /chroot root@moe:~# debootstrap squeeze .
SOLVED FUTURE JAIL PROBLEMS 01 – Mount /dev/ and /dev/pts devices root@moe:~# mount --bind /dev /chroot/dev root@moe:~# mount --bind /dev/pts /chroot/dev/pts 02 – Set CHROOT jail root@moe:~# cd .. root@moe:~# chroot /chroot
INSTALL PACKAGES root@moe:~# apt-get install sysklogd openssh-server vim bind9 MAIN CONFIG BIND9 FILES /etc/bind /etc/default/bind BIND9 SCRIPT INIT /etc/init.d/bind9
MAKE DIRECTORIES root@moe:~# mkdir -p /var/lib/named root@moe:~# mkdir -p /var/lib/named/etc/bind root@moe:~# mkdir -p /var/lib/named/dev root@moe:~# mkdir -p /var/lib/named/var/cache/bind root@moe:~# mkdir -p /var/lib/named/var/run/bind/run root@moe:~# mkdir -p /var/lib/named/var/run/named root@moe:~# mkdir -p /var/lib/named/lib
EDIT DEFAULT FILES root@moe:~# vi /etc/bind/default Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named” root@moe:~# vi /etc/init.d/bind9 Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named”
COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/ CHANGE DEFAUL OWNER USER AND GROUP root@moe:~# chown –R bind.bind /var/lib/named
CREATE BLOCK FILES root@moe:~# cd /var/lib/named/dev root@moe:~# mknod null c 1 3 root@moe:~# mknod random c 1 8 root@moe:~# mknod zero c 1 5 root@moe:~# mknod urandom c 1 9
RESTART BIND9 SERVICE root@moe:~# invoke-rc.d bind9 restart
MAIN CONFIGURE FILES  named.conf  named.conf.options  zones/db.direta.interna  zones/db.reversa.interna  zones/db.direta.externa  zones/db.reversa.externa
ACLS AND VIEWS CONCEPT ACL – Access Control List Views
CONFIGURE NAMED.CONF acl intranet { 192.168.0.0/16; }; acl extranet { 0.0.0.0/0; };
CONFIGURE NAMED.CONF view bsidesplocal { match-clients { "intranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.interna.direta"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.interna.reversa"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; };
CONFIGURE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
NAMED.CONF GLOSSARY Line beginning with '/ /' = commented line include = Includes the specified file acl = Defines an Access List Zone = Sets a Zone type = Defines the type of zone file = Shows the full path of the configuration of the zone allow-transfer servers = Sets Slaves to receive updates from this server update-policy local = Line used to update automatic spot in our case used to re-sign zones automatically expire before the keys key-directory = Indicates the directory that contains the key areas necessary to update-policy is successful also-notify = Indicates that the master server sends updates to the slave server every time bind restarts Notify = defines whether or not there will be no notifications area
DB.ZONES FILES root@moe:~# mkdir /var/lib/named/etc/bind/zones root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
DIRECT ZONE EXAMPLE $TTL 86400 l @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( l l 2012101801 ; Serial l 1200 ; Refresh l 2400 ; Retry l 4800 ; Expire l 1209600 ) ; Negative Cache TTL l ; l l @ IN NS moe.bsidesp.utah.net.br. l @ IN NS homer.bsidesp.utah.net.br. l @ IN MX 5 moe.bsidesp.utah.net.br. l @ IN MX 10 homer.bsidesp.utah.net.br. l @ IN A 189.100.100.10 l @ IN A 189.99.99.9 l l moe IN A 189.99.99.9 l homer IN A 187.100.100.10 l ftp IN CNAME homer.bsidesp.utah.net.br. l pop IN CNAME homer.bsidesp.utah.net.br
REVERSE ZONE EXAMPLE $TTL 86400 @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL ; @ IN NS moe.bsidesp.utah.net.br. @ IN NS homer.bsidesp.utah.net.br. @ IN MX 5 moe.bsidesp.utah.net.br. @ IN MX 10 homer.bsidesp.utah.net.br. 9 IN PTR moe.bsidesp.utah.net.br. 10 IN PTR homer.bsidesp.utah.net.br. 10 IN PTR www.bsidesp.utah.net.br. 10 IN PTR ftp.bsidesp.utah.net.br. 10 IN PTR pop.bsidesp.utah.net.br.
GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
CLOSE RECURSIVE QUERY root@moe:~# vi /var/lib/named/etc/bind/named.conf.options l auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internals; externals; }; allow-recursion { internals; }; dnssec-enable yes; l
MAKE KEY DNSSEC root@moe:~# mkdir /var/lib/named/etc/bind/zones/keys root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones/keys root@moe:/var/lib/named/etc/bind/zones/keys# dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5 –b 2048 –K /var/lib/named/etc/bind/zones/keys – n ZONE bsidesp.utah.net.br
GLOSSARY OPTIONS -r = device-ramdomização -type f = key -a = Encryption Algorithm -b = Key Size -K = Directory Keys -n = Zone
ASSIGN ZONES root@moe:/var/lib/named/etc/bind/zones/keys# l dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N unixtime –o bsidesp.utah.net.br /var/lib/named/etc/bind/zones/db.externa.direta
GLOSSARY OPTIONS S = Signature-intelligent, search keys zone; -z = Ignores the SEP bit key and signs throughout the area; -K = Directory of the Keys; N-Format = Serial SOA, in our case we use 'unixtime' to increment the serial with the signature; -o = Zone and Zone Configuration File.
CHANGE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
SHARED IN REGISTRO.BR
GET KEYTAG AND DIGEST root@moe:/var/lib/named/etc/bind/zones/keys# cat bsidesp.utah.net.br | head -1 bsidesp.utah.net.br IN DS 51074 1 1 D836A983AE90B051414E88D62379A94C9C9F71DD Keytag = 51074 Digest = D836A983AE90B051414E88D62379A94C9C9F71DD
DOBTS ? SPECIAL THANKS ISAIAS SOUZA SILVA
SOURCES OF RESEARCH BIND9 PROJECT https://www.isc.org/software/bind REGISTRO.BR www.registro.br QGSEG http://www.qgseg.com.br/ WIKIPEDIA http://pt.wikipedia.org

Recommended

Twitter Trend Analyzer
Twitter Trend AnalyzerTwitter Trend Analyzer
Twitter Trend AnalyzerMatthew Chang
 
Calidad de software y TDD
Calidad de software y TDDCalidad de software y TDD
Calidad de software y TDDJose Luis Bugarin Peche
 
Quality Management Principles
Quality Management PrinciplesQuality Management Principles
Quality Management PrinciplesAditya Sharma
 
Ensuring a Quality Order Management Implementation
Ensuring a Quality Order Management ImplementationEnsuring a Quality Order Management Implementation
Ensuring a Quality Order Management ImplementationPerficient, Inc.
 
Azure DevOps - Um case de sucesso
Azure DevOps - Um case de sucessoAzure DevOps - Um case de sucesso
Azure DevOps - Um case de sucessoArmando Junior
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERUtah Networxs Consultoria e Treinamento
 
EMPREENDEDORISMO COM SOFTWARE LIVRE
EMPREENDEDORISMO COM SOFTWARE LIVREEMPREENDEDORISMO COM SOFTWARE LIVRE
EMPREENDEDORISMO COM SOFTWARE LIVREUtah Networxs Consultoria e Treinamento
 
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2Utah Networxs Consultoria e Treinamento
 

Recommended

Twitter Trend Analyzer
Twitter Trend AnalyzerTwitter Trend Analyzer
Twitter Trend AnalyzerMatthew Chang
 
Calidad de software y TDD
Calidad de software y TDDCalidad de software y TDD
Calidad de software y TDDJose Luis Bugarin Peche
 
Quality Management Principles
Quality Management PrinciplesQuality Management Principles
Quality Management PrinciplesAditya Sharma
 
Ensuring a Quality Order Management Implementation
Ensuring a Quality Order Management ImplementationEnsuring a Quality Order Management Implementation
Ensuring a Quality Order Management ImplementationPerficient, Inc.
 
Azure DevOps - Um case de sucesso
Azure DevOps - Um case de sucessoAzure DevOps - Um case de sucesso
Azure DevOps - Um case de sucessoArmando Junior
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERUtah Networxs Consultoria e Treinamento
 
EMPREENDEDORISMO COM SOFTWARE LIVRE
EMPREENDEDORISMO COM SOFTWARE LIVREEMPREENDEDORISMO COM SOFTWARE LIVRE
EMPREENDEDORISMO COM SOFTWARE LIVREUtah Networxs Consultoria e Treinamento
 
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2Utah Networxs Consultoria e Treinamento
 
Dns
DnsDns
DnsMd Shihab
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)chovatiyabhautik
 
DNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealDNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealMaarten Balliauw
 
Dns
DnsDns
Dnsjulien pauli
 
Dns
DnsDns
DnsPatruni Chidananda Sastry
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Servervipulvaid
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name ServiceJohnny Fortune
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
DNS
DNSDNS
DNSviditsir
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentBangladesh Network Operators Group
 
Introduction
IntroductionIntroduction
Introductionhajafaarukh
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-partiSehla Loussaief Zayen
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS ConfigurationVinod Gour
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus networkAalap Tripathy
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
DNSPresentation.pptx
DNSPresentation.pptxDNSPresentation.pptx
DNSPresentation.pptxKailashTayde
 
Rhel4
Rhel4Rhel4
Rhel4Yash Gulati
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019Milad Es'Haghi
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 

More Related Content

Similar to DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 
DNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealDNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealMaarten Balliauw
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Servervipulvaid
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name ServiceJohnny Fortune
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS ConfigurationVinod Gour
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus networkAalap Tripathy
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
DNSPresentation.pptx
DNSPresentation.pptxDNSPresentation.pptx
DNSPresentation.pptxKailashTayde
 

Similar to DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL (20)

Dns
DnsDns
Dns
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)
 
DNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealDNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo Montreal
 
Dns
DnsDns
Dns
 
Dns
DnsDns
Dns
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name Service
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 
DNS
DNSDNS
DNS
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Introduction
IntroductionIntroduction
Introduction
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-parti
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS Configuration
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
DNSPresentation.pptx
DNSPresentation.pptxDNSPresentation.pptx
DNSPresentation.pptx
 
Rhel4
Rhel4Rhel4
Rhel4
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 

Recently uploaded

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 

Recently uploaded (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

  • 2. WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  • 3. SOCIAL MEDIA Follow! @fabioandpires Follow! @utah_networxs Enjoy! Utah Networxs
  • 4. Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  • 5. WHAT IS DNS SERVER ? “DNS – DOMAIN NAME SYSTEM” Management system is a hierarchical name and distributed operating on two definitions: 1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs).
  • 6. TYPE OF DNS ? The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machines around the world, they need to resolve domain names in the area over which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, in order to obtain answers to queries made.
  • 7. DNS RFC'S The roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034 http://tools.ietf.org/html/rfc1035
  • 8. THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS 13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs (Generic Top Level Domains - generic domains used worldwide) and ccTLDs (Country Code Top Level Domains - domain extensions administered by countries).
  • 9. THE DNS ROOT SERVER WORD MAP
  • 11. WHY DNS SERVER ARE COMPROMISED? DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING; Reponse Same UDP Port QUESTION section refered true question QUERY ID fits QUESTION Section AUTHORITY and ADDITIONAL name is the same domain QUERY
  • 12. Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG – Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two shares Used mainly in zone transfers (master and slave) same domain QUERY
  • 13. TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system of asymmetric keys. This means that someone with a domain compatible with DNSSEC has a pair of electronic keys consisting of a private key and a public key.
  • 15. PRATICE DNS SERVER #CHROOT JAIL
  • 16. CHROOT BIND IN CHROOT JAIL / bin boot bin chroot boot dev dev etc etc home home lib lib mnt mnt opt opt proc proc root root sbin sbin dev tmp tmp etc bind usr usr lib var var lib named var
  • 17. MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chroot root@moe:~# apt-get install debootstrap root@moe:~# cd /chroot root@moe:~# debootstrap squeeze .
  • 18. SOLVED FUTURE JAIL PROBLEMS 01 – Mount /dev/ and /dev/pts devices root@moe:~# mount --bind /dev /chroot/dev root@moe:~# mount --bind /dev/pts /chroot/dev/pts 02 – Set CHROOT jail root@moe:~# cd .. root@moe:~# chroot /chroot
  • 19. INSTALL PACKAGES root@moe:~# apt-get install sysklogd openssh-server vim bind9 MAIN CONFIG BIND9 FILES /etc/bind /etc/default/bind BIND9 SCRIPT INIT /etc/init.d/bind9
  • 20. MAKE DIRECTORIES root@moe:~# mkdir -p /var/lib/named root@moe:~# mkdir -p /var/lib/named/etc/bind root@moe:~# mkdir -p /var/lib/named/dev root@moe:~# mkdir -p /var/lib/named/var/cache/bind root@moe:~# mkdir -p /var/lib/named/var/run/bind/run root@moe:~# mkdir -p /var/lib/named/var/run/named root@moe:~# mkdir -p /var/lib/named/lib
  • 21. EDIT DEFAULT FILES root@moe:~# vi /etc/bind/default Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named” root@moe:~# vi /etc/init.d/bind9 Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named”
  • 22. COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/ CHANGE DEFAUL OWNER USER AND GROUP root@moe:~# chown –R bind.bind /var/lib/named
  • 23. CREATE BLOCK FILES root@moe:~# cd /var/lib/named/dev root@moe:~# mknod null c 1 3 root@moe:~# mknod random c 1 8 root@moe:~# mknod zero c 1 5 root@moe:~# mknod urandom c 1 9
  • 24. RESTART BIND9 SERVICE root@moe:~# invoke-rc.d bind9 restart
  • 25. MAIN CONFIGURE FILES  named.conf  named.conf.options  zones/db.direta.interna  zones/db.reversa.interna  zones/db.direta.externa  zones/db.reversa.externa
  • 26. ACLS AND VIEWS CONCEPT ACL – Access Control List Views
  • 27. CONFIGURE NAMED.CONF acl intranet { 192.168.0.0/16; }; acl extranet { 0.0.0.0/0; };
  • 28. CONFIGURE NAMED.CONF view bsidesplocal { match-clients { "intranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.interna.direta"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.interna.reversa"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; };
  • 29. CONFIGURE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  • 30. NAMED.CONF GLOSSARY Line beginning with '/ /' = commented line include = Includes the specified file acl = Defines an Access List Zone = Sets a Zone type = Defines the type of zone file = Shows the full path of the configuration of the zone allow-transfer servers = Sets Slaves to receive updates from this server update-policy local = Line used to update automatic spot in our case used to re-sign zones automatically expire before the keys key-directory = Indicates the directory that contains the key areas necessary to update-policy is successful also-notify = Indicates that the master server sends updates to the slave server every time bind restarts Notify = defines whether or not there will be no notifications area
  • 31. DB.ZONES FILES root@moe:~# mkdir /var/lib/named/etc/bind/zones root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
  • 32. DIRECT ZONE EXAMPLE $TTL 86400 l @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( l l 2012101801 ; Serial l 1200 ; Refresh l 2400 ; Retry l 4800 ; Expire l 1209600 ) ; Negative Cache TTL l ; l l @ IN NS moe.bsidesp.utah.net.br. l @ IN NS homer.bsidesp.utah.net.br. l @ IN MX 5 moe.bsidesp.utah.net.br. l @ IN MX 10 homer.bsidesp.utah.net.br. l @ IN A 189.100.100.10 l @ IN A 189.99.99.9 l l moe IN A 189.99.99.9 l homer IN A 187.100.100.10 l ftp IN CNAME homer.bsidesp.utah.net.br. l pop IN CNAME homer.bsidesp.utah.net.br
  • 33. REVERSE ZONE EXAMPLE $TTL 86400 @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL ; @ IN NS moe.bsidesp.utah.net.br. @ IN NS homer.bsidesp.utah.net.br. @ IN MX 5 moe.bsidesp.utah.net.br. @ IN MX 10 homer.bsidesp.utah.net.br. 9 IN PTR moe.bsidesp.utah.net.br. 10 IN PTR homer.bsidesp.utah.net.br. 10 IN PTR www.bsidesp.utah.net.br. 10 IN PTR ftp.bsidesp.utah.net.br. 10 IN PTR pop.bsidesp.utah.net.br.
  • 34. GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
  • 35. GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
  • 36. CLOSE RECURSIVE QUERY root@moe:~# vi /var/lib/named/etc/bind/named.conf.options l auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internals; externals; }; allow-recursion { internals; }; dnssec-enable yes; l
  • 37. MAKE KEY DNSSEC root@moe:~# mkdir /var/lib/named/etc/bind/zones/keys root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones/keys root@moe:/var/lib/named/etc/bind/zones/keys# dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5 –b 2048 –K /var/lib/named/etc/bind/zones/keys – n ZONE bsidesp.utah.net.br
  • 38. GLOSSARY OPTIONS -r = device-ramdomização -type f = key -a = Encryption Algorithm -b = Key Size -K = Directory Keys -n = Zone
  • 39. ASSIGN ZONES root@moe:/var/lib/named/etc/bind/zones/keys# l dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N unixtime –o bsidesp.utah.net.br /var/lib/named/etc/bind/zones/db.externa.direta
  • 40. GLOSSARY OPTIONS S = Signature-intelligent, search keys zone; -z = Ignores the SEP bit key and signs throughout the area; -K = Directory of the Keys; N-Format = Serial SOA, in our case we use 'unixtime' to increment the serial with the signature; -o = Zone and Zone Configuration File.
  • 41. CHANGE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  • 43. GET KEYTAG AND DIGEST root@moe:/var/lib/named/etc/bind/zones/keys# cat bsidesp.utah.net.br | head -1 bsidesp.utah.net.br IN DS 51074 1 1 D836A983AE90B051414E88D62379A94C9C9F71DD Keytag = 51074 Digest = D836A983AE90B051414E88D62379A94C9C9F71DD
  • 44. DOBTS ? SPECIAL THANKS ISAIAS SOUZA SILVA
  • 45. SOURCES OF RESEARCH BIND9 PROJECT https://www.isc.org/software/bind REGISTRO.BR www.registro.br QGSEG http://www.qgseg.com.br/ WIKIPEDIA http://pt.wikipedia.org