1 / 21

Enhancing DNS Security: Upgrade to BIND 9 and Secure Your Nameservers

Explore the importance of upgrading BIND for better performance and new features, along with securing your nameservers to protect valuable data from intruders. Learn about restricting recursion, separating recursive and authority servers, and implementing transaction signatures for enhanced security.

kkeil
Download Presentation

Enhancing DNS Security: Upgrade to BIND 9 and Secure Your Nameservers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DNS Session 5Additional Topics • Joe Abley • AfNOG 2007, Abuja, Nigeria

  2. Upgrading BIND

  3. Why Upgrade? • Almost all software has bugs • Although BIND 9 is much more conservative than previous versions, it is not immune to software defects • Better performance • New features

  4. Where to Find BIND • http://www.isc.org/sw/bind/ • ftp://ftp.isc.org/isc/bind9/ • Today, the recommended version to run is BIND 9.3.2 • Maybe 0.01% of people have a reason to run BIND 8 instead of BIND 9 • Nobody has a reason to run BIND 4

  5. Warning! • Many operating systems come with BIND built-in • If you compile your own, you may end up with two copies of BIND on the same server • confusing • annoying

  6. Securing Nameservers

  7. Host Security • Your authority servers contain valuable data • If intruders can change the records in your zones, this could spell trouble • phishing • denial-of-service • Long TTLs can make changes hard to back out (why?)

  8. Restricting Recursion • Why control which clients can perform recursive lookups? • cache poisoning • server load • network load • reflection attacks

  9. Separate Recursive and Authority Servers • Avoid serving stale zones authoritatively • Avoiding exposing nameservers to cache poisoning attacks is even more important when the potential client population is large, and the answers are marked authoritative

  10. Host Local Zones Locally • Avoid leaking queries for private zones • Avoid unnecessary query loads on the root servers, or on the AS112 servers • Avoid calling ISC complaining that prisoner.iana.org is attacking you on port 53

  11. By the Way... • Encourage people who run your network to read and understand BCP 38 • http://www.ietf.org/rfc/rfc2827.txt • Preventing source spoofing helps reduce the opportunity for many attacks, including Reflection Attacks

  12. Restricting AXFR/IXFR • People can extract information about you and your customers by reading your zones • hosts to try and attack (e.g. ssh brute force attacks) • mail servers to exploit (e.g. relay attempts, dictionary attacks) • cache poisioning opportunities

  13. Transaction Signatures (TSIG) • Master and slave servers: • share a common secret key • agree on the key name • have clocks which are approximately in sync (e.g. they both use NTP) (why?) • The shared information is used to authenticate a client to a server

  14. Zone Transfers • TSIG is most-commonly used to authenticate slave servers to master servers during zone transfers • alternative to using source IP address ACLs • better than IP address ACLs (why?)

  15. Secrets, Secrets • If you don’t run the slave servers and the mater servers yourself, you need a way to distribute the secret key to the slave server operator • how? • You also probably want to change the key every now and then (why?)

  16. DNS Security

  17. DNS Insecurity? • How can you trust answers you get from a cache? • How can a cache trust the answers it gets from authority servers? • How do you know that the www.cenbank.org address you obtained is genuine?

  18. DNSSEC • DNSSEC is a 10+ year effort to introduce security into the DNS • Secures the data in the DNS, not the transport • Provides a way for clients to be able to judge the security of data they extract from the DNS

  19. General Concepts • Public Key Cryptography • Clients obtain a trusted copy of a public key used to sign the root zone • Each zone includes a signed copy of the public key of each signed daughter zone • All resource records in a signed zones are signed by a zone-signing key

  20. Detailed Description • Ha ha, not here! • Maybe if you have a spare week!

  21. Questions?

More Related