400 likes | 651 Views
DNS & DHCP in the 21st Century. William D. Kramp Network Administrator Finger Lakes Community College. Where is FLCC located?. Resources. DNS and BIND, 4 th Edition, by Paul Albitz & Cricket Liu
E N D
DNS & DHCP in the 21st Century William D. Kramp Network Administrator Finger Lakes Community College
Resources • DNS and BIND, 4th Edition, by Paul Albitz & Cricket Liu • Microsoft Win2000 DNS Documentation: http://www.microsoft.com/TechNet/win2000/win2ksrv/reskit/tcpch06.asp • Copy of the PowerPoint presentation: http://paws.flcc.edu/~krampwd/presentations/DNS/index.htm
Presentation Topics • BIND 9.1.x DNS Features • BIND 9.1.x Diagnostic Tools • DNS Security Practices • DNS Security Extensions • DNS and DHCP with Win2000
What is DNS? • DNS stands for Domain Name System. • A distributed database that matches domain names to IP numbers. • Developed in the mid-1980’s to replace the use of the hosts file.
BIND 9.1.x DNS Features • Multiple Views • Multiprocessor Support • IP Version 6 • A6 • DNAME • Bitstring Labels • Functional DNSSEC
BIND 9.1.x - Diagnostic Tools • Named-checkconf – Will check the configuration file (named.conf) for any syntax errors. • Named-checkzone – Will check a specified zone file for syntax errors. • Example: named-checkzone /path/db.flcc
DNS Security Practices • Operating System Security • Restricting Access • Transaction Signatures (TSIG) • List of BIND vulnerabilities: http://www.isc.org/products/BIND/bind-security.html
A Popular Port to Probe • On dShields web site http://www.dshield.org, DNS was the single most probed port at 13%, with port 111 (rpc) second at 7% on June 13, 2001. • Dshield takes reports from various firewalls like Cisco and ipchains to IDSs like Snort and ZoneAlarm.
Other monitoring sites • http://www.mynetwatchman.com • http://www.incidents.org (SANS) • SANS runs the Consensus Intrusion Database, that compiles information from dshield, mywatchman, and other data sources.
Operating System Security • Chroot DNS Server - Trap the name server in a subdirectory of the file system. • Least Privilege – Normally runs as root. Change owner and group to a user with lower privileges after binding to port 53.
DNS Security Practices • Hiding the BIND version. • Restricting: • Query Requests • Recursion • Zone Transfers • Notify • Sending DNS requests to the Blackhole
Security by Obscurity • Stop BIND from providing a version number. Makes it easier for Black Hats to find vulnerable servers. • Command “dig @IP# txt chaos version.bind” • In options section: version “FLCC BIND”
Restricting Query Access • Allow-query – Restrict access to who can look up information in local zones. This could be used to allow only local users to look at an internal DNS (view). • Example: allow-query { 172.19/16; };
Restricting Recursion • Allow-recursion – Restrict who can use the DNS server for recursive lookups. Leaving this open could allow a remote user to use your DNS resources. • Example: allow-recursion { 192.156.234/24; 199.29.9/24; };
Restricting Zone Transfer • Allow-transfer – Restricts which secondary DNS servers can perform zone transfers. Don’t want to give the Black Hats a road map of your site. • Example: allow-transfer { 172.20.1.2; 172.20.1.3; }; or allow-transfer { none; };
Restricting Notify • Allow-notify – Primary server can send a message to the secondary to initiate a zone transfer. A third party could launch a DoS attack by causing the secondary to repeatedly query the Primary server. • Example: allow-notify { 172.20.1.1; };
Restricting Dynamic Update • Allow-update – This allows the DNS zones to be updated with new Resource Records (RR). Win2000 depends on this feature to operate. But could be used by clients to for unauthorized additions and deletions from the zone. • Example: allow-update { none; };
Blackhole • The blackhole command allows you to ignore any DNS requests or commands from a single IP, or a list of IP ranges. Could also block RFC1918 reserved addresses, multicast, etc. • Example: blackhole { 172.21.0.0/16; };
Transaction Signatures (TSIG) • TSIG uses a one-way hash function with a shared key for authenticating: DNS responses and updates. • Only useful between a small number of servers. • A compromised server would expose the shared key of all the servers. • Used when IP based security is not enough.
DNS Security Extensions • DNSSEC • RFC2535 • Updates: RFC3008, RFC3090, RFC3110 • Available in BIND 8.2, but not fully functional. • Public Key Cryptography – Key pairs: one public, one private.
DNSSEC Information • DNS Records • KEY • SIG • NXT • Chain of Trust
DNS KEY Record • KEY record used to publish Public key. • The KEY record can also be used for other purposes like E-mail encryption. • Various encryption algorithms: RSA/MD5, Diffie-Hellman, DSA.
DNS SIG Record • SIG (Signature) record holds the digital signature of a RRset using the private keys. • RRset • A Resource Record set is collection of resource records with the same name, type and class. • Used with Dynamic DNS
DNS NXT Record • The NXT record is sent in response to a failed query. • Provides a list of record types that are available for the query, plus the next domain name in the list. • The list is composed of the all the domain names in the zone, sorted by dictionary order, case-insensitively.
Chain of Trust • Each RRset in a secure zone has a SIG record. • Public KEY record used to verify SIG record. • Public KEY record certified by a higher authority (.edu zone) • KEY record of .edu zone certified by root servers.
DNS and DHCP with Win2000 • DNS and DHCP are the backbone to the operation of Windows 2000. LDAP and Kerberos also play a big part to form Active Directory (AD). • Wave goodbye to WINS and browsing!!!
Windows Dynamic DNS • RFC compliant DNS service. • Windows relies on dynamic DNS to operate. Win2000 Clients and Servers register with the DNS server to provide a name and corresponding IP number. They also register service (SRV) record information as needed.
SRV Records • SRV records are used for locating services. • Example: _ldap._tcp.library.flcc.edu • The first label specifies the ldap service. • The second label specifies the protocol. • The domain name is then listed.
SRV Records, Part 2 • Static IP#s don’t have to be assigned to the servers since they will be dynamically registered in the zone. • Problem, some network devices can only use static IP numbers for connecting to the servers.
Sample of Library DNS Zone • _ldap._tcp 600 SRV 0 100 389 dale.library. • 600 SRV 0 100 389 chip.library. • _kerberos._udp 600 SRV 0 100 88 dale.library. • 600 SRV 0 100 88 chip.library. • chip 900 A 172.21.4.7 • dale 900 A 172.21.4.9 • library1 900 A 172.21.4.10 • library10 900 A 172.21.4.14
Windows DHCP Security • Windows has supports several features for security of DNS and DHCP. • Windows 2000 DHCP servers can not hand out IP’s without first being registered with the local AD server. • Can also detect and log the IP of rogue DHCP servers.
Windows Dynamic Update • During the DHCP process, the Win2000 client will send the DHCP server a DHCPREQUEST packet with FQDN option. • The FQDN option has several flags that indicate if the client will register with the DNS server, or if the DHCP server should do it.
Registering with DDNS • If the Windows 2000 client performs the registration with the Dynamic DNS server. It will check to see if there is an address record registered for the domain name or an alias. • If no to both, it will send a dynamic update to the DDNS server.
Non-Win2000 Client Updates • Clients that are not running Windows 2000 like: Win98/98, NT, Linux, Mac’s; will not send the FQDN option. • If the DHCP server is configured to perform the dynamic update, it will automatically do so for the client.
Statically Configured Win2000 • Windows 2000 clients that are statically configured with an IP address will still dynamically update the DNS server. • Every 24 hours, or after a reboot. The Win2000 clients (and servers) will attempt to register their A, PTR, and other Resource Records.
Secure Dynamic Update • Normal dynamic DNS updates are open for abuse. • Microsoft offers a secure update service which uses a GSS algorithm for TSIG (an IETF Internet-Draft). • Uses Kerberos for authentication. • Won’t work with non-Win200 clients.
Stale DNS Records • Over time, dynamic DNS entries will be left behind in the zones. • Clients and DHCP servers are suppose to remove their Resource Records automatically. • But if clients are not shut down properly, or if the network is disrupted…
Scavenging DNS Records • Windows 2000 DNS servers can be set to scavenge stale DNS records. But it is not the default setting. • Must be sure you understand all the ramifications before enabling it. • Scavenging can be enabled by: server, zone, or record.