Embed Size (px)
Citation preview
Module 10
Advanced Topics
DNS and DHCP DHCP can be configured to auto-
update (using DDNS) the forward and reverse map zones Can be secured using allow-update (IP and
crypto) or update-policy (crypto only) Crypto may use TSIG or SIG(0)
Used by AD extensively Interaction between AD and BIND9
DNS - DHCP
DNS - Security Overview
DNS and Security Local (1) is admin based
Variety of sysadmin techniques (permissions)
Chroot (jail) DDNS (2) - inhibit or use IP/Crypto
controls Zone Transfers (3) - inhibit or use
IP/Crypto controls Resolver (4) - DNSSEC - viable Resolver (5) - DNSSEC - not viable
Open vs Closed Resolvers Allows anyone, anywhere to query your
resolver DDoS amplification attacks recursion yes; defaulted
Big Deal ~50% of resolvers were open BIND9.4 partial close using allow-query-cache
{localnets; localhost;}; Always use allow-recursion with explicit
list (use ACL clause for big lists)
Closing DNS - Techniques# If authoritative servers (master/slave)# inhibit all recursionrecursion no;
# if master/slave with caching (hybrid) or caching only (resolver)# use an appropriate local address scope statement# to limit recursion requests to local usersallow-recursion {192.168.2.0/24;}; // change IPs as required
# OR if the DNS server's IPs and netmasks cover the whole # local network you can use:allow-recursion {"localnets";”localhost”;};
# personal DNS# hard limits on readinglisten-on {127.0.0.1;}; // or listen-on {localhost;};listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;};
# OR allow-recursion {"localhost";};
DNS - Uses DNSBL - DNS Blacklist
Used for email blacklists Whitelists
ENUM Maps E.164 (Telephone numbers)
Generic Principle of adding some (processed) name to a base name to get a DNS response
DNS - DNSBL$TTL 2d # default RR TTL$ORIGIN blacklist.example.com. IN SOA ns1.example.com. hostmaster.example.com.( 2003080800 ; se = serial number 3h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS ns1.example.com. IN NS ns2.example.com.# black list records - uses origin substitution rule (order unimportant)2.0.0.127 IN A 127.0.0.2 # allows testing# black list RRs135.2.168.192 IN A 127.0.0.2 # or some result code address IN TXT "Optional-explanation for black listing"# the above entries expands to 135.2.168.192.blacklist.example.com...135.17.168.192 IN A 127.0.0.2 # generic list...
DNS - Other Lists$TTL 2d # default RR TTL$ORIGIN whitelist.example.com....# white list records - using origin substitution rule# order not important other than for local usage reasons# normal whitelist RRs# by convention this address should be listed to allow for external testing 2.0.0.127 IN A 127.0.0.2# black list RRs135.2.168.192 IN A 127.0.0.2 # or some result code address IN TXT "Optional-explanation for listing"# the above entries expand to 135.2.168.192.blacklist.example.com...135.17.168.192 IN A 127.0.0.2 # generic list...# name based RRs for white listingfriend.com IN A 127.0.0.1 # all domain email addresses IN TXT "Optional-explanation for listing"# expands to friend.com.whitelist.example.comjoe.my.my IN A 127.0.0.2 # single address# expands to joe.my.my.whitelist.example.com...
DNS - Best Practices Don't mix Authoritative and caching
practical only for big sites Configurations
document config file changes don't assume defaults - be explicit Closed resolvers
Zone files document changes use $ORIGIN (with dot!) Be consistent with names (w/o $ORIGIN)
DNS Resources http://www.zytrax.com/books/dns http://www.isc.org (BIND 9) www.dnssec-deployment.org www.dnssec.net (info portal) Pro DNS and BIND!
Quick Quiz Can DHCP be used to update the
reverse map file? Name at least two security threats. Why is an OPEN DNS a Bad Thing? Name at least one other use for
DNS. Why is $ORIGIN important?
