130 likes | 237 Views
Module 10. Advanced Topics. DNS and DHCP. DHCP can be configured to auto-update (using DDNS) the forward and reverse map zones Can be secured using allow-update (IP and crypto) or update-policy (crypto only) Crypto may use TSIG or SIG(0) Used by AD extensively
E N D
Module 10 Advanced Topics
DNS and DHCP • DHCP can be configured to auto-update (using DDNS) the forward and reverse map zones • Can be secured using allow-update (IP and crypto) or update-policy (crypto only) • Crypto may use TSIG or SIG(0) • Used by AD extensively • Interaction between AD and BIND9
DNS and Security • Local (1) is admin based • Variety of sysadmin techniques (permissions) • Chroot (jail) • DDNS (2) - inhibit or use IP/Crypto controls • Zone Transfers (3) - inhibit or use IP/Crypto controls • Resolver (4) - DNSSEC - viable • Resolver (5) - DNSSEC - not viable
Open vs Closed Resolvers • Allows anyone, anywhere to query your resolver • DDoS amplification attacks • recursion yes; defaulted • Big Deal • ~50% of resolvers were open • BIND9.4 partial close using allow-query-cache {localnets; localhost;}; • Always use allow-recursion with explicit list (use ACL clause for big lists)
Closing DNS - Techniques # If authoritative servers (master/slave) # inhibit all recursion recursion no; # if master/slave with caching (hybrid) or caching only (resolver) # use an appropriate local address scope statement # to limit recursion requests to local users allow-recursion {192.168.2.0/24;}; // change IPs as required # OR if the DNS server's IPs and netmasks cover the whole # local network you can use: allow-recursion {"localnets";”localhost”;}; # personal DNS # hard limits on reading listen-on {127.0.0.1;}; // or listen-on {localhost;}; listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;}; # OR allow-recursion {"localhost";};
DNS - Uses • DNSBL - DNS Blacklist • Used for email blacklists • Whitelists • ENUM • Maps E.164 (Telephone numbers) • Generic Principle of adding some (processed) name to a base name to get a DNS response
DNS - DNSBL $TTL 2d # default RR TTL $ORIGIN blacklist.example.com. IN SOA ns1.example.com. hostmaster.example.com.( 2003080800 ; se = serial number 3h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS ns1.example.com. IN NS ns2.example.com. # black list records - uses origin substitution rule (order unimportant) 2.0.0.127 IN A 127.0.0.2 # allows testing # black list RRs 135.2.168.192 IN A 127.0.0.2 # or some result code address IN TXT "Optional-explanation for black listing" # the above entries expands to 135.2.168.192.blacklist.example.com ... 135.17.168.192 IN A 127.0.0.2 # generic list ...
DNS - Other Lists $TTL 2d # default RR TTL $ORIGIN whitelist.example.com. ... # white list records - using origin substitution rule # order not important other than for local usage reasons # normal whitelist RRs # by convention this address should be listed to allow for external testing 2.0.0.127 IN A 127.0.0.2 # black list RRs 135.2.168.192 IN A 127.0.0.2 # or some result code address IN TXT "Optional-explanation for listing" # the above entries expand to 135.2.168.192.blacklist.example.com ... 135.17.168.192 IN A 127.0.0.2 # generic list ... # name based RRs for white listing friend.com IN A 127.0.0.1 # all domain email addresses IN TXT "Optional-explanation for listing" # expands to friend.com.whitelist.example.com joe.my.my IN A 127.0.0.2 # single address # expands to joe.my.my.whitelist.example.com ...
DNS - Best Practices • Don't mix Authoritative and caching • practical only for big sites • Configurations • document config file changes • don't assume defaults - be explicit • Closed resolvers • Zone files • document changes • use $ORIGIN (with dot!) • Be consistent with names (w/o $ORIGIN)
DNS Resources • http://www.zytrax.com/books/dns • http://www.isc.org (BIND 9) • www.dnssec-deployment.org • www.dnssec.net (info portal) • Pro DNS and BIND!
Quick Quiz • Can DHCP be used to update the reverse map file? • Name at least two security threats. • Why is an OPEN DNS a Bad Thing? • Name at least one other use for DNS. • Why is $ORIGIN important?