1 / 13

Module 10

Module 10. Advanced Topics. DNS and DHCP. DHCP can be configured to auto-update (using DDNS) the forward and reverse map zones Can be secured using allow-update (IP and crypto) or update-policy (crypto only) Crypto may use TSIG or SIG(0) Used by AD extensively

zia-beck
Download Presentation

Module 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 10 Advanced Topics

  2. DNS and DHCP • DHCP can be configured to auto-update (using DDNS) the forward and reverse map zones • Can be secured using allow-update (IP and crypto) or update-policy (crypto only) • Crypto may use TSIG or SIG(0) • Used by AD extensively • Interaction between AD and BIND9

  3. DNS - DHCP

  4. DNS - Security Overview

  5. DNS and Security • Local (1) is admin based • Variety of sysadmin techniques (permissions) • Chroot (jail) • DDNS (2) - inhibit or use IP/Crypto controls • Zone Transfers (3) - inhibit or use IP/Crypto controls • Resolver (4) - DNSSEC - viable • Resolver (5) - DNSSEC - not viable

  6. Open vs Closed Resolvers • Allows anyone, anywhere to query your resolver • DDoS amplification attacks • recursion yes; defaulted • Big Deal • ~50% of resolvers were open • BIND9.4 partial close using allow-query-cache {localnets; localhost;}; • Always use allow-recursion with explicit list (use ACL clause for big lists)

  7. Closing DNS - Techniques # If authoritative servers (master/slave) # inhibit all recursion recursion no; # if master/slave with caching (hybrid) or caching only (resolver) # use an appropriate local address scope statement # to limit recursion requests to local users allow-recursion {192.168.2.0/24;}; // change IPs as required # OR if the DNS server's IPs and netmasks cover the whole # local network you can use: allow-recursion {"localnets";”localhost”;}; # personal DNS # hard limits on reading listen-on {127.0.0.1;}; // or listen-on {localhost;}; listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;}; # OR allow-recursion {"localhost";};

  8. DNS - Uses • DNSBL - DNS Blacklist • Used for email blacklists • Whitelists • ENUM • Maps E.164 (Telephone numbers) • Generic Principle of adding some (processed) name to a base name to get a DNS response

  9. DNS - DNSBL $TTL 2d # default RR TTL $ORIGIN blacklist.example.com. IN SOA ns1.example.com. hostmaster.example.com.( 2003080800 ; se = serial number 3h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS ns1.example.com. IN NS ns2.example.com. # black list records - uses origin substitution rule (order unimportant) 2.0.0.127 IN A 127.0.0.2 # allows testing # black list RRs 135.2.168.192 IN A 127.0.0.2 # or some result code address IN TXT "Optional-explanation for black listing" # the above entries expands to 135.2.168.192.blacklist.example.com ... 135.17.168.192 IN A 127.0.0.2 # generic list ...

  10. DNS - Other Lists $TTL 2d # default RR TTL $ORIGIN whitelist.example.com. ... # white list records - using origin substitution rule # order not important other than for local usage reasons # normal whitelist RRs # by convention this address should be listed to allow for external testing 2.0.0.127 IN A 127.0.0.2 # black list RRs 135.2.168.192 IN A 127.0.0.2 # or some result code address IN TXT "Optional-explanation for listing" # the above entries expand to 135.2.168.192.blacklist.example.com ... 135.17.168.192 IN A 127.0.0.2 # generic list ... # name based RRs for white listing friend.com IN A 127.0.0.1 # all domain email addresses IN TXT "Optional-explanation for listing" # expands to friend.com.whitelist.example.com joe.my.my IN A 127.0.0.2 # single address # expands to joe.my.my.whitelist.example.com ...

  11. DNS - Best Practices • Don't mix Authoritative and caching • practical only for big sites • Configurations • document config file changes • don't assume defaults - be explicit • Closed resolvers • Zone files • document changes • use $ORIGIN (with dot!) • Be consistent with names (w/o $ORIGIN)

  12. DNS Resources • http://www.zytrax.com/books/dns • http://www.isc.org (BIND 9) • www.dnssec-deployment.org • www.dnssec.net (info portal) • Pro DNS and BIND!

  13. Quick Quiz • Can DHCP be used to update the reverse map file? • Name at least two security threats. • Why is an OPEN DNS a Bad Thing? • Name at least one other use for DNS. • Why is $ORIGIN important?

More Related