210 likes | 245 Views
BIND. Sarthak Agasti. Presentation Outline. Introduction Installation Configuration Security Conclusions. Introduction. BIND has become the most popular DNS server on the Internet. The first implementation of the Domain Name System was called JEEVES, written by Paul Mockapetris.
E N D
BIND Sarthak Agasti
Presentation Outline • Introduction • Installation • Configuration • Security • Conclusions
Introduction • BIND has become the most popular DNS server on the Internet. • The first implementation of the Domain Name System was called JEEVES, written by Paul Mockapetris. • A later implementation was BIND, an acronym for Berkeley Internet Name Domain, which was written by Kevin Dunlap. • BIND is now maintained by the Internet Software Consortium.
Installation • The major files for the implementation of DNS BIND/iX are found in PUB.BIND and NET.SYS in the MPE/iX name space, and under directories /BIND/PUB and /etc in the POSIX name space.JNAMED.PUB.BIN • The job which runs the DNS server.NAMED.PUB.BIND • The DNS server program.RESLVCNF.NET.SYS • The DNS client (resolver) configuration file. /etc/resolv.conf
Installation contd. • /BIND/PUB/etc/ named.conf • /BIND/PUB/etc/zone • Several example zone files have been included with the DNS BIND/iX product./BIND/PUB/etc/ nslookup.help • The help text for the nslookup utility./BIND/PUB/bin/ nslookup
Installation contd. • Interactive name server query utility./BIND/PUB/bin/ dnsquery • DNS server query tool./BIND/PUB/bin/ host • Host information lookup tool./BIND/PUB/bin/ addr • Address lookup tool./BIND/PUB/bin/ named- bootconf.pl
Installation contd. • Perl script to assist in converting BIND 4.x named.boot to 8.x named.conf./BIND/PUB/bin/ nsupdate • Zone transfer program, called internally by nameservers to transfer zone information from primary to secondary servers/BIND/PUB/ public_html • Linked to sub-directory /BIND/PUB/doc-8.1.1/html
Installation contd. • Resolver Config -/etc/resolv.conf - allows a maximum of 3 name servers - separate server for internal queries - forwarders optimize name service
Configuration • Hardware Requirements • Database of bind is kept in memory, as cache grows, so does the named process. • To determine, if a named server machine has enough memory, run it for a while and watch the size of named process. • It takes about 2 weeks to come to a stable size. • Double the amount of cache memory consumed by named.
Configuration contd. • named startup • Each Linux package has a startup script for named that is run through init. • To control a running copy of namedndc/rndc are used followed by commands like start, stop, restart and status. • named also uses syslog, so syslogd should be started before named. • Do not use inetd/xinetd as they restartnamed every time used, slowing response time.
Configuration contd. • BIND configuration file syntax changed significantly between Version 4 and Version 8. • Name of configuration file also changed- BIND 4: /etc/named.boot BIND 8/9: /etc/named.conf • BIND 8 consists of series of statements each terminated by a semi-colon. • Format is quite fragile, even a missing semi-colon can create trouble. • BIND 9 had added tools- check syntax of the config file : named-checkconfzone data files : named-checkzone
Configuration contd. • Configuration Parameters • include - to organize a large configuration we can put different portions of the configuration in separate files • option - it specifies global options, some of which can be over written for particular zones or server, if no option statement is present then default values are used. BIND 9 has over 50 values eg directory, version, check-names • server - it tells the named characteristics of it's remote peers, eg if you mark a server bogus then it will not be able to send queries
Configuration contd. • Configuration Parameters contd. • lwres - it is a new statement introduced in BIND 9 and is also used to configure the named server • key - it defines a named encryption key used for authenticating a particular server • acl - access control list is an address match list with a name, it can be used anywhere that an address match list is called for • zone - it tells named bout zones for which it is authoritative and set options that are appropriate for managing each zone, it also preload the root server hints
Configuration contd. • Configuration Parameters contd. • trusted-keys - it is for security each entry is a 5-tupple that identifies domain name, flags, protocol, algorithms and key that are needed to name a server for that domain • control - it specifies how a ndc/rndc controls running of a named process, it can start, stop, put in debug mode etc • logging - it generates messages that report error or any abnormality • view - many sites want internal view of network different from view seen over internet this configuration is called split DNS, view statement simplifies the setup of split DNS
Security Domain can be accessed with tools like dig, host etc. To address such vulnerabilities, BIND supports various kinds of access control based on host and network addresses. • Confining namedTo confine the damage, named can be run in chroot environment/as an unprivileged user. chroot directory contains files that named normally requires to run.
Security contd. • Access Control List • helps with 2 major DNS security issues: spoofing and denial of service attacks • every site should have at least 1 acl for bogus addresses and 1 for local addresses • Example: BOGUS - acl for bogus addresses and SAFE - acl local addresses Then the global option section is defined asallow-recrsion { SAFE; }; blackhole { BOGUS; }; • Transfer can be limited to own slave servers and to machines of two internet measurement projects that walk the reverse DNS tree to determine size of internet. It can be implemented with line allow-transfer { ourslaves; measurements; }; This makes it impossible for other sites to dump our database.
Security contd. • TSIG & TKEY • TSIG allow secure communication among servers through use of transaction signatures. • It authenticates the sender/receiver and verifies that data has not been tampered with. • It uses symmetric encryption scheme called shared secret key. • Different key should be used for each pair of servers that communicate. • TKEY is a BIND 9 mechanism that allows hosts to generate shared-secret key w/o secure copies to distribute. • It uses Diffie Hellman key, where each side take a random number, does some math and sends result to other side. • Each side then combines it's own number with the received number to arrive at the same key.
Security contd. • DNSSEC • It is a set of DNS extensions that authenticate the origin of zone data and verify its integrity using public key cryptography. • It provides 3 distinct services • key distribution by means of KEY resource records stored in zone file • origin verification for servers and • data verification of integrity of zone data
Thank You!! Questions??