Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service.
By Utah Networxs
Follow - @fabioandpires
Follow - @utah_networxs
2. WHO WE ARE?
FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL.
17 YEARS OF PRATICE IN LINUX
12 YEARS WITH BEST LINUX IN BRAZIL
MORE THAN 50.000 STUDENTS TRAINED
MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS
LPI-C ATP IN BRAZIL
MORE: www.utah.com.br
4. Speaker: Fabio Pires
Mini Curriculum:
Graduated in Computer Science
Graduated in Bachelor of Computing
Post Graduate in Project Analysis and Systems - FATEC
Post Graduate in S.O. Linux - UFLA
LPIC
Teacher of Undergraduate and Graduate
Twitter in Spare Time
Contact: fpires@utah.com.br
5. WHAT IS DNS SERVER ?
“DNS – DOMAIN NAME SYSTEM” Management system is a
hierarchical name and distributed operating on two definitions:
1 - Review and update your database.
2 - Resolve domain names into network addresses (IPs).
6. TYPE OF DNS ?
The authoritative is responsible for keeping the maps referring to
a local area and respond to requests coming from machines
around the world, they need to resolve domain names in the area
over which this server is authoritative;
The Recursive What is responsible for receiving recursive DNS
queries from local clients and consult with external servers, in
order to obtain answers to queries made.
7. DNS RFC'S
The roots in RFCs 882 and 883, and was updated in RFCs 1034 and
1035.
http://tools.ietf.org/html/rfc1034
http://tools.ietf.org/html/rfc1035
8. THE DNS ROOT SERVER
THERE IS JUST A DNS SERVER ROOT AND THIS WAS
13 TIMES REPLICATED.
The Table has only one entry for each existing Top Level
Domain. The Top Level Domains are of two types: gTLDs
(Generic Top Level Domains - generic domains used worldwide)
and ccTLDs (Country Code Top Level Domains - domain
extensions administered by countries).
11. WHY DNS SERVER ARE
COMPROMISED?
DOS and DDOS ATACKS;
Recursion { any; };
DNS CACHE POISONING;
Reponse Same UDP Port
QUESTION section refered true question
QUERY ID fits QUESTION
Section AUTHORITY and ADDITIONAL name is the same domain QUERY
12. Mitigation
TSIG / DNSSEC WHAT IS IT ?
TSIG – Transations Signatures (RFC 2845)
Traffic signed with a shared key (simetric) between two shares
Used mainly in zone transfers (master and slave) same domain QUERY
13. TSIG / DNSSEC WHAT IS IT ?
The mechanism used by DNSSEC is based on technology that
employs cryptographic signatures. DNSSEC uses a system of
asymmetric keys.
This means that someone with a domain compatible with
DNSSEC has a pair of electronic keys consisting of a private key
and a public key.
16. CHROOT BIND IN CHROOT JAIL
/
bin
boot bin
chroot boot
dev dev
etc etc
home home
lib lib
mnt mnt
opt opt
proc proc
root root
sbin sbin dev
tmp tmp etc bind
usr usr lib
var var lib named var
17. MAKE A CHROOT JAIL
Operational System: Debian
Version Name: Squeeze
Version Release: 6.0.5
Architeture: x86_64
Diretory: /chroot
root@moe:~# apt-get install debootstrap
root@moe:~# cd /chroot
root@moe:~# debootstrap squeeze .
18. SOLVED FUTURE JAIL
PROBLEMS
01 – Mount /dev/ and /dev/pts devices
root@moe:~# mount --bind /dev /chroot/dev
root@moe:~# mount --bind /dev/pts
/chroot/dev/pts
02 – Set CHROOT jail
root@moe:~# cd ..
root@moe:~# chroot /chroot
19. INSTALL PACKAGES
root@moe:~# apt-get install sysklogd openssh-server vim bind9
MAIN CONFIG BIND9 FILES
/etc/bind
/etc/default/bind
BIND9 SCRIPT INIT
/etc/init.d/bind9
21. EDIT DEFAULT FILES
root@moe:~# vi /etc/bind/default
Change:
OPTIONS=”-u bind”
To:
OPTIONS=”-u bind -t /var/lib/named”
root@moe:~# vi /etc/init.d/bind9
Change:
OPTIONS=”-u bind”
To:
OPTIONS=”-u bind -t /var/lib/named”
22. COPY BIND PACKAGE FILES
root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/
CHANGE DEFAUL OWNER
USER AND GROUP
root@moe:~# chown –R bind.bind /var/lib/named
23. CREATE BLOCK FILES
root@moe:~# cd /var/lib/named/dev
root@moe:~# mknod null c 1 3
root@moe:~# mknod random c 1 8
root@moe:~# mknod zero c 1 5
root@moe:~# mknod urandom c 1 9
30. NAMED.CONF GLOSSARY
Line beginning with '/ /' = commented line
include = Includes the specified file
acl = Defines an Access List
Zone = Sets a Zone
type = Defines the type of zone
file = Shows the full path of the configuration of the zone
allow-transfer servers = Sets Slaves to receive updates from this server
update-policy local = Line used to update automatic spot in our case used
to re-sign zones automatically expire before the keys
key-directory = Indicates the directory that contains the key areas
necessary to update-policy is successful
also-notify = Indicates that the master server sends updates to the slave
server every time bind restarts
Notify = defines whether or not there will be no notifications area
32. DIRECT ZONE EXAMPLE
$TTL 86400
l
@ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. (
l
l
2012101801 ; Serial
l
1200 ; Refresh
l
2400 ; Retry
l
4800 ; Expire
l
1209600 ) ; Negative Cache TTL
l
;
l
l
@ IN NS moe.bsidesp.utah.net.br.
l
@ IN NS homer.bsidesp.utah.net.br.
l
@ IN MX 5 moe.bsidesp.utah.net.br.
l
@ IN MX 10 homer.bsidesp.utah.net.br.
l
@ IN A 189.100.100.10
l
@ IN A 189.99.99.9
l
l
moe IN A 189.99.99.9
l
homer IN A 187.100.100.10
l
ftp IN CNAME homer.bsidesp.utah.net.br.
l
pop IN CNAME homer.bsidesp.utah.net.br
33. REVERSE ZONE EXAMPLE
$TTL 86400
@ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. (
2012101801 ; Serial
1200 ; Refresh
2400 ; Retry
4800 ; Expire
1209600 ) ; Negative Cache TTL
;
@ IN NS moe.bsidesp.utah.net.br.
@ IN NS homer.bsidesp.utah.net.br.
@ IN MX 5 moe.bsidesp.utah.net.br.
@ IN MX 10 homer.bsidesp.utah.net.br.
9 IN PTR moe.bsidesp.utah.net.br.
10 IN PTR homer.bsidesp.utah.net.br.
10 IN PTR www.bsidesp.utah.net.br.
10 IN PTR ftp.bsidesp.utah.net.br.
10 IN PTR pop.bsidesp.utah.net.br.
34. GLOSSARY ZONE FILE
TTL = Time in seconds that the record of the zone remains in the cache server;
Serial Number = reference to a server SLAVE whether there were changes in configuration file
of the zone;
Refresh = Time in seconds that the secondary server will wait to check for
updates on the primary server;
Retry = Time in seconds in case of failure of the refresh until the next check;
Expires = Time in seconds that the secondary server continues answering the area if the
primary server is out of the air, since this time the exhausted
also secondary server stops responding to this area;
Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache
stores the information before starting a new search
recursive;
NS = Name Server
A = Host (IP)
MX = Mail Box
Alias = aliases are at the end of the file structure as above, there are the nicknames defined
zone as www, ftp, smtp, etc. ..
35. GLOSSARY ZONE FILE
TTL = Time in seconds that the record of the zone remains in the cache server;
Serial Number = reference to a server SLAVE whether there were changes in configuration file
of the zone;
Refresh = Time in seconds that the secondary server will wait to check for
updates on the primary server;
Retry = Time in seconds in case of failure of the refresh until the next check;
Expires = Time in seconds that the secondary server continues answering the area if the
primary server is out of the air, since this time the exhausted
also secondary server stops responding to this area;
Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache
stores the information before starting a new search
recursive;
NS = Name Server
A = Host (IP)
MX = Mail Box
Alias = aliases are at the end of the file structure as above, there are the nicknames defined
zone as www, ftp, smtp, etc. ..
36. CLOSE RECURSIVE QUERY
root@moe:~#
vi /var/lib/named/etc/bind/named.conf.options
l
auth-nxdomain no;
# conform to RFC1035
listen-on-v6 { any; };
allow-query { internals; externals; };
allow-recursion { internals; };
dnssec-enable yes;
l
37. MAKE KEY DNSSEC
root@moe:~#
mkdir /var/lib/named/etc/bind/zones/keys
root@moe:~#
chown bind.bind /var/lib/named/etc/bind/zones/keys
root@moe:/var/lib/named/etc/bind/zones/keys#
dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5
–b 2048 –K /var/lib/named/etc/bind/zones/keys –
n ZONE bsidesp.utah.net.br
38. GLOSSARY OPTIONS
-r = device-ramdomização
-type f = key
-a = Encryption Algorithm
-b = Key Size
-K = Directory Keys
-n = Zone
39. ASSIGN ZONES
root@moe:/var/lib/named/etc/bind/zones/keys#
l
dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N
unixtime –o bsidesp.utah.net.br
/var/lib/named/etc/bind/zones/db.externa.direta
40. GLOSSARY OPTIONS
S = Signature-intelligent, search keys zone;
-z = Ignores the SEP bit key and signs throughout the area;
-K = Directory of the Keys;
N-Format = Serial SOA, in our case we use 'unixtime' to
increment the serial
with the signature;
-o = Zone and Zone Configuration File.
45. SOURCES OF RESEARCH
BIND9 PROJECT
https://www.isc.org/software/bind
REGISTRO.BR
www.registro.br
QGSEG
http://www.qgseg.com.br/
WIKIPEDIA
http://pt.wikipedia.org