“DNSSEC WHAT IS IT ?”
WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL.         17 YEARS OF PRATICE IN LINUX      12 YEARS WITH BEST LINU...
SOCIAL MEDIAFollow! @fabioandpiresFollow! @utah_networxs Enjoy! Utah Networxs
Speaker: Fabio Pires                Mini Curriculum:          Graduated in Computer Science        Graduated in Bachelor o...
WHAT IS DNS SERVER ?  “DNS – DOMAIN NAME SYSTEM” Management system is ahierarchical name and distributed operating on two ...
TYPE OF DNS ?The authoritative is responsible for keeping the maps referring to   a local area and respond to requests com...
DNS RFCSThe roots in RFCs 882 and 883, and was updated in RFCs 1034 and                             1035.               ht...
THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS              13 TIMES REPLICATED.   The Table has only on...
THE DNS ROOT SERVER WORD           MAP
OPERATION OF DNS SERVER
WHY DNS SERVER ARE        COMPROMISED?                  DOS and DDOS ATACKS;                       Recursion { any; };    ...
Mitigation TSIG / DNSSEC WHAT IS IT ?         TSIG – Transations Signatures (RFC 2845)   Traffic signed with a shared key ...
TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSS...
DNS VS DNSSEC
PRATICE DNS SERVER #CHROOT JAIL
CHROOT BIND IN CHROOT JAIL /      bin     boot     bin     chroot   boot      dev     dev      etc     etc     home     ho...
MAKE A CHROOT JAIL   Operational System: Debian   Version Name: Squeeze   Version Release: 6.0.5   Architeture: x86_64   D...
SOLVED FUTURE JAIL         PROBLEMS01 – Mount /dev/ and /dev/pts devicesroot@moe:~# mount --bind /dev /chroot/devroot@moe:...
INSTALL PACKAGESroot@moe:~# apt-get install sysklogd openssh-server vim bind9MAIN CONFIG BIND9 FILES/etc/bind/etc/default/...
MAKE DIRECTORIESroot@moe:~# mkdir -p /var/lib/namedroot@moe:~# mkdir -p /var/lib/named/etc/bindroot@moe:~# mkdir -p /var/l...
EDIT DEFAULT FILESroot@moe:~# vi /etc/bind/defaultChange:OPTIONS=”-u bind”To:OPTIONS=”-u bind -t /var/lib/named”root@moe:~...
COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/CHANGE DEFAUL OWNER  USER AND GROUP root@moe...
CREATE BLOCK FILESroot@moe:~# cd /var/lib/named/devroot@moe:~# mknod null c 1 3root@moe:~# mknod random c 1 8root@moe:~# m...
RESTART BIND9 SERVICEroot@moe:~# invoke-rc.d bind9 restart
MAIN CONFIGURE FILES    named.conf    named.conf.options    zones/db.direta.interna    zones/db.reversa.interna    zo...
ACLS AND VIEWS CONCEPT      ACL – Access Control List               Views
CONFIGURE NAMED.CONFacl intranet { 192.168.0.0/16; };acl extranet { 0.0.0.0/0; };
CONFIGURE NAMED.CONFview bsidesplocal {    match-clients { "intranet" ;};zone "bsidesp.utah.net.br" {    type master;    f...
CONFIGURE NAMED.CONF    view bsidespweb {        match-clients { "extranet" ;};    zone "bsidesp.utah.net.br" {        typ...
NAMED.CONF GLOSSARYLine beginning with / / = commented lineinclude = Includes the specified fileacl = Defines an Access Li...
DB.ZONES FILESroot@moe:~# mkdir /var/lib/named/etc/bind/zonesroot@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
DIRECT ZONE EXAMPLE    $TTL 86400l    @    IN SOA      moe.bsidesp.utah.net.br.   root.bsidesp.utah.net.br. (ll        201...
REVERSE ZONE EXAMPLE$TTL 86400@    IN SOA        moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. (     2012101801 ; Ser...
GLOSSARY ZONE FILETTL = Time in seconds that the record of the zone remains in the cache server;Serial Number = reference ...
GLOSSARY ZONE FILETTL = Time in seconds that the record of the zone remains in the cache server;Serial Number = reference ...
CLOSE RECURSIVE QUERY    root@moe:~#    vi /var/lib/named/etc/bind/named.conf.optionsl    auth-nxdomain no;    # conform t...
MAKE KEY DNSSECroot@moe:~#mkdir /var/lib/named/etc/bind/zones/keysroot@moe:~#chown bind.bind /var/lib/named/etc/bind/zones...
GLOSSARY OPTIONS-r = device-ramdomização-type f = key-a = Encryption Algorithm-b = Key Size-K = Directory Keys-n = Zone
ASSIGN ZONES    root@moe:/var/lib/named/etc/bind/zones/keys#l    dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/ke...
GLOSSARY OPTIONSS = Signature-intelligent, search keys zone;-z = Ignores the SEP bit key and signs throughout the area;-K ...
CHANGE NAMED.CONF    view bsidespweb {        match-clients { "extranet" ;};    zone "bsidesp.utah.net.br" {        type m...
SHARED IN REGISTRO.BR
GET KEYTAG AND DIGESTroot@moe:/var/lib/named/etc/bind/zones/keys#cat bsidesp.utah.net.br | head -1bsidesp.utah.net.br IN D...
DOBTS ? SPECIAL THANKSISAIAS SOUZA SILVA
SOURCES OF RESEARCHBIND9 PROJECThttps://www.isc.org/software/bindREGISTRO.BRwww.registro.brQGSEGhttp://www.qgseg.com.br/WI...
Upcoming SlideShare
Loading in …5
×

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

1,693 views

Published on

Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service.

By Utah Networxs

Follow - @fabioandpires
Follow - @utah_networxs

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,693
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

  1. 1. “DNSSEC WHAT IS IT ?”
  2. 2. WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINEDMORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  3. 3. SOCIAL MEDIAFollow! @fabioandpiresFollow! @utah_networxs Enjoy! Utah Networxs
  4. 4. Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of ComputingPost Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  5. 5. WHAT IS DNS SERVER ? “DNS – DOMAIN NAME SYSTEM” Management system is ahierarchical name and distributed operating on two definitions: 1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs).
  6. 6. TYPE OF DNS ?The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machinesaround the world, they need to resolve domain names in the area over which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, in order to obtain answers to queries made.
  7. 7. DNS RFCSThe roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034 http://tools.ietf.org/html/rfc1035
  8. 8. THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS 13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs(Generic Top Level Domains - generic domains used worldwide) and ccTLDs (Country Code Top Level Domains - domain extensions administered by countries).
  9. 9. THE DNS ROOT SERVER WORD MAP
  10. 10. OPERATION OF DNS SERVER
  11. 11. WHY DNS SERVER ARE COMPROMISED? DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING; Reponse Same UDP Port QUESTION section refered true question QUERY ID fits QUESTIONSection AUTHORITY and ADDITIONAL name is the same domain QUERY
  12. 12. Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG – Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two sharesUsed mainly in zone transfers (master and slave) same domain QUERY
  13. 13. TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system of asymmetric keys. This means that someone with a domain compatible withDNSSEC has a pair of electronic keys consisting of a private key and a public key.
  14. 14. DNS VS DNSSEC
  15. 15. PRATICE DNS SERVER #CHROOT JAIL
  16. 16. CHROOT BIND IN CHROOT JAIL / bin boot bin chroot boot dev dev etc etc home home lib lib mnt mnt opt opt proc proc root root sbin sbin dev tmp tmp etc bind usr usr lib var var lib named var
  17. 17. MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chrootroot@moe:~# apt-get install debootstraproot@moe:~# cd /chrootroot@moe:~# debootstrap squeeze .
  18. 18. SOLVED FUTURE JAIL PROBLEMS01 – Mount /dev/ and /dev/pts devicesroot@moe:~# mount --bind /dev /chroot/devroot@moe:~# mount --bind /dev/pts/chroot/dev/pts02 – Set CHROOT jailroot@moe:~# cd ..root@moe:~# chroot /chroot
  19. 19. INSTALL PACKAGESroot@moe:~# apt-get install sysklogd openssh-server vim bind9MAIN CONFIG BIND9 FILES/etc/bind/etc/default/bindBIND9 SCRIPT INIT/etc/init.d/bind9
  20. 20. MAKE DIRECTORIESroot@moe:~# mkdir -p /var/lib/namedroot@moe:~# mkdir -p /var/lib/named/etc/bindroot@moe:~# mkdir -p /var/lib/named/devroot@moe:~# mkdir -p /var/lib/named/var/cache/bindroot@moe:~# mkdir -p /var/lib/named/var/run/bind/runroot@moe:~# mkdir -p /var/lib/named/var/run/namedroot@moe:~# mkdir -p /var/lib/named/lib
  21. 21. EDIT DEFAULT FILESroot@moe:~# vi /etc/bind/defaultChange:OPTIONS=”-u bind”To:OPTIONS=”-u bind -t /var/lib/named”root@moe:~# vi /etc/init.d/bind9Change:OPTIONS=”-u bind”To:OPTIONS=”-u bind -t /var/lib/named”
  22. 22. COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/CHANGE DEFAUL OWNER USER AND GROUP root@moe:~# chown –R bind.bind /var/lib/named
  23. 23. CREATE BLOCK FILESroot@moe:~# cd /var/lib/named/devroot@moe:~# mknod null c 1 3root@moe:~# mknod random c 1 8root@moe:~# mknod zero c 1 5root@moe:~# mknod urandom c 1 9
  24. 24. RESTART BIND9 SERVICEroot@moe:~# invoke-rc.d bind9 restart
  25. 25. MAIN CONFIGURE FILES named.conf named.conf.options zones/db.direta.interna zones/db.reversa.interna zones/db.direta.externa zones/db.reversa.externa
  26. 26. ACLS AND VIEWS CONCEPT ACL – Access Control List Views
  27. 27. CONFIGURE NAMED.CONFacl intranet { 192.168.0.0/16; };acl extranet { 0.0.0.0/0; };
  28. 28. CONFIGURE NAMED.CONFview bsidesplocal { match-clients { "intranet" ;};zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.interna.direta"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes;};zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.interna.reversa"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes;};};
  29. 29. CONFIGURE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes;l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  30. 30. NAMED.CONF GLOSSARYLine beginning with / / = commented lineinclude = Includes the specified fileacl = Defines an Access ListZone = Sets a Zonetype = Defines the type of zonefile = Shows the full path of the configuration of the zoneallow-transfer servers = Sets Slaves to receive updates from this serverupdate-policy local = Line used to update automatic spot in our case usedto re-sign zones automatically expire before the keyskey-directory = Indicates the directory that contains the key areasnecessary to update-policy is successfulalso-notify = Indicates that the master server sends updates to the slaveserver every time bind restartsNotify = defines whether or not there will be no notifications area
  31. 31. DB.ZONES FILESroot@moe:~# mkdir /var/lib/named/etc/bind/zonesroot@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
  32. 32. DIRECT ZONE EXAMPLE $TTL 86400l @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. (ll 2012101801 ; Seriall 1200 ; Refreshl 2400 ; Retryl 4800 ; Expirel 1209600 ) ; Negative Cache TTLl ;ll @ IN NS moe.bsidesp.utah.net.br.l @ IN NS homer.bsidesp.utah.net.br.l @ IN MX 5 moe.bsidesp.utah.net.br.l @ IN MX 10 homer.bsidesp.utah.net.br.l @ IN A 189.100.100.10l @ IN A 189.99.99.9ll moe IN A 189.99.99.9l homer IN A 187.100.100.10l ftp IN CNAME homer.bsidesp.utah.net.br.l pop IN CNAME homer.bsidesp.utah.net.br
  33. 33. REVERSE ZONE EXAMPLE$TTL 86400@ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL;@ IN NS moe.bsidesp.utah.net.br.@ IN NS homer.bsidesp.utah.net.br.@ IN MX 5 moe.bsidesp.utah.net.br.@ IN MX 10 homer.bsidesp.utah.net.br.9 IN PTR moe.bsidesp.utah.net.br.10 IN PTR homer.bsidesp.utah.net.br.10 IN PTR www.bsidesp.utah.net.br.10 IN PTR ftp.bsidesp.utah.net.br.10 IN PTR pop.bsidesp.utah.net.br.
  34. 34. GLOSSARY ZONE FILETTL = Time in seconds that the record of the zone remains in the cache server;Serial Number = reference to a server SLAVE whether there were changes in configuration fileof the zone;Refresh = Time in seconds that the secondary server will wait to check forupdates on the primary server;Retry = Time in seconds in case of failure of the refresh until the next check;Expires = Time in seconds that the secondary server continues answering the area if theprimary server is out of the air, since this time the exhaustedalso secondary server stops responding to this area;Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cachestores the information before starting a new searchrecursive;NS = Name ServerA = Host (IP)MX = Mail BoxAlias = aliases are at the end of the file structure as above, there are the nicknames definedzone as www, ftp, smtp, etc. ..
  35. 35. GLOSSARY ZONE FILETTL = Time in seconds that the record of the zone remains in the cache server;Serial Number = reference to a server SLAVE whether there were changes in configuration fileof the zone;Refresh = Time in seconds that the secondary server will wait to check forupdates on the primary server;Retry = Time in seconds in case of failure of the refresh until the next check;Expires = Time in seconds that the secondary server continues answering the area if theprimary server is out of the air, since this time the exhaustedalso secondary server stops responding to this area;Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cachestores the information before starting a new searchrecursive;NS = Name ServerA = Host (IP)MX = Mail BoxAlias = aliases are at the end of the file structure as above, there are the nicknames definedzone as www, ftp, smtp, etc. ..
  36. 36. CLOSE RECURSIVE QUERY root@moe:~# vi /var/lib/named/etc/bind/named.conf.optionsl auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internals; externals; }; allow-recursion { internals; }; dnssec-enable yes;l
  37. 37. MAKE KEY DNSSECroot@moe:~#mkdir /var/lib/named/etc/bind/zones/keysroot@moe:~#chown bind.bind /var/lib/named/etc/bind/zones/keysroot@moe:/var/lib/named/etc/bind/zones/keys#dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5–b 2048 –K /var/lib/named/etc/bind/zones/keys –n ZONE bsidesp.utah.net.br
  38. 38. GLOSSARY OPTIONS-r = device-ramdomização-type f = key-a = Encryption Algorithm-b = Key Size-K = Directory Keys-n = Zone
  39. 39. ASSIGN ZONES root@moe:/var/lib/named/etc/bind/zones/keys#l dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N unixtime –o bsidesp.utah.net.br /var/lib/named/etc/bind/zones/db.externa.direta
  40. 40. GLOSSARY OPTIONSS = Signature-intelligent, search keys zone;-z = Ignores the SEP bit key and signs throughout the area;-K = Directory of the Keys;N-Format = Serial SOA, in our case we use unixtime toincrement the serialwith the signature;-o = Zone and Zone Configuration File.
  41. 41. CHANGE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes;l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  42. 42. SHARED IN REGISTRO.BR
  43. 43. GET KEYTAG AND DIGESTroot@moe:/var/lib/named/etc/bind/zones/keys#cat bsidesp.utah.net.br | head -1bsidesp.utah.net.br IN DS 51074 1 1D836A983AE90B051414E88D62379A94C9C9F71DDKeytag = 51074Digest = D836A983AE90B051414E88D62379A94C9C9F71DD
  44. 44. DOBTS ? SPECIAL THANKSISAIAS SOUZA SILVA
  45. 45. SOURCES OF RESEARCHBIND9 PROJECThttps://www.isc.org/software/bindREGISTRO.BRwww.registro.brQGSEGhttp://www.qgseg.com.br/WIKIPEDIAhttp://pt.wikipedia.org

×