A bit of Bind (Part II)

For today i have the second part of bind. In this part i’ll explain how to ensure our environment and prevent the DNS cache spoofing with the DNS extensions DNSSEC. DNSSEC offers the authenticity and integrity of the DNS records, not encrypt the communication between servers or clients.

Image

First we’ll jail the named service in a chroot environment and limit user (named). In this part we have to do both the parent and the subdomain servers:
Chroot bind jail (Parent domain && subdomain)

1.- Create directory tree:


# mkdir /var/named/chroot/

# mkdir -p /var/named/chroot/var/run

# mkdir /var/named/chroot/var/named

# mkdir /var/named/chroot/dev

# mkdir -p /var/named/chroot/etc/named

# mkdir -p /var/named/chroot/usr/lib/bind

# cp /etc/named.conf /var/named/chroot/etc/named.conf

# cp /var/named/* /var/named/chroot/var/named

# chown -R named:named /var/named/chroot/

# chmod -R 700 /var/named/chroot/


2- Create special files used by named:


# mknod /var/named/chroot/dev/null c 1 3

# mknod /var/named/chroot/dev/random c 1 8

# chmod 666 /var/named/chroot/dev/{null,random}

3.- In /etc/default/named add:


ROOTDIR="/var/named/chroot"

4.- Edit SELINUX file (/etc/selinux/config) and disable it persistent:


SELINUX=disabled

5.- Disable SELINUX for now:


# setenforce 0

6.- Restart named:



# service named restart

7.- Check the named service is running in the new directory:


# ps aux | grep bind

Image

In DNSSEC appear new register records:

  • DNSKEY: is the public key, each zone has two keys KSK (key sign key) and ZSK (zone sign key) and appears in the zone file.

  • RRSIG: is the sign of each RRset.

  • NSEC: is used by negative answer, and ensure the register request don’t exist.

  • DS: is the sign of a DNSKEY. This register appears in the parent zone and ensure the authenticity of the public key subdomain.

Image

The KSK is used to sign the ZSK and the ZSK for sign the zones. In this scenario we have 2 servers one parent domain (mydomain.com) and one subdomain (subdomain.mydomain.com), with this servers we’ll create a chain of trust.

First we’ll generate the pair of keys ZSK and KSK, in each server. Next we have to include the public keys in the zone file and sign the subdomain server. When we sign the subdomain server, generate two files the file zone signed and the DS record for the parent domain, we have to copy this file and include this record on file zone parent, then we can sign the parent zone.

DNSSEC

Parent domain && Subdomain

1.- Generate the pair keys KSK and ZSK:


# dnssec-keygen -a rsasha1 -b 1024 -r /dev/urandom -n ZONE mydomain.com

# dnssec-keygen -a rsasha1 -b 2048 -r /dev/urandom -n ZONE -f KSK mydomain.com

2.- Add the KSK and ZSK to te zone files:

Image

-Parent domain:


# cat Kmydomain.com.+005+14091.key >> /var/named/chroot/var/named/zone.mydomain.com


# cat Kmydomain.com.+005+65187.key >> /var/named/chroot/var/named/zone.mydomain.com

- Subdomain:



# cat Ksubdomain.mydomain.com.+005+65187.key >> /var/named/chroot/var/named/zone.subdomain.mydomain

# cat Ksubdomain.mydomain.com.+005+12934.key >> /var/named/chroot/var/named/zone.subdomain.mydomain

Subdomain

1.- Sign zone subdomain.mydomain.com:


# dnssec-signzone -o subdomain.mydomain.com /var/named/chroot/var/named/zone.subdomain.mydomain

2.- Edit /var/named/chroot/etc/named.conf:


dnssec-enable yes;

file "zone.subdomain.mydomain.signed";

3.- copy the dsset file to domain parent (this require enable ssh server in the domain parent)



# scp /var/named/chroot/var/named/dsset-subdomain.mydomain.com 192.168.1.34:/var/named/chroot/var/named/dsset-subdomain.mydomain.com

4.- Restart named


# service named restart

Parent Domain

1.- add the dsset to the zone file:



# cat /var/named/chroot/var/named/dsset-subdomain.mydomain.com >> /var/named/chroot/var/named/zone.mydomain.com
2.- Sign the zone:


# dnssec-signzone -o mydomain.com /var/named/chroot/var/named/zone.mydomain.com

3.- change the file name and enable dnssec in /var/named/chroot/etc/named.conf:


# dnssec-enable yes;

file “zone.mydomain.com.signed”;

Final checks

1.- A negative answer with NSEC:



# dig +dnssec @192.168.1.37 ppp.subdomain.mydomain.com


Image

2.- Check the DNSSEC set of the subdomain server:



# dig +dnssec @192.168.1.37 subdomain.mydomain.com

Image

More in the next post!! Bye bye!!

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the...
Đọc thêm

Configuring DHCP Relay service on the FortiGate unit

Configuring DHCP Relay service on the FortiGate unit If the clients are configured to obtain a IP address using DHCP relay, configure the FortiGate server as below: To configure DHCP relay on the FortiGate unit   1. Go to System > Network > Interfaces and select Interface want to configure DHCP relay.   2. Enable DHCP Server in the interface and choose Advanced   3. For Mode, select Relay.   4. In Type select Regular.   5. Select OK.   6. If a router is installed between the FortiGate unit and the DHCP server, define a static route to the DHCP server. Note : Sometimes it is required to specify more than one DHCP relay IP, to allow for the coverage of additional LAN subnets. Although the Web Based Manager (GUI) does not provide an option to configure this, it is possible to set up to 8 IPs from the CLI.       config system interface             edit <REQUIRED_INTERFACE_HERE>   ...
Đọc thêm

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space

Hình ảnh
I create new server with 10GB of HDD, but when i check on the command line, the root space only show 6GB. I'm using t2.micto and Redhat 7.0, disk type: XFS. - xvda1: boot partition - xvda2: root partition Fix Step: We have instance A with the volume VA. 1) Stop the current instace A 2) Snapshot the current volume VA of the instance A 3) Start the instance A 4) Create new volume with 25GB by using the snapshot of volume VA then we have new volume VB 5) Attach the new volume VB to the instance A as default (/dev/sdf) 6) From the ssh console, i use the lsblk command to list the disk. # lsblk 7) Using the xfs_repair to repair the /dev/xvdf2 ( yum install xfsprogs) # xfs_repair /dev/xvdf2 8) Continue as the image below 9) Remove the /dev/xvdf2, remember the start of this disk then we will create the new one with the same. 10) Using XFS command to repair the /dev/xvdf2 again. # xfs_repair /dev/xvdf2 11) Use the lsblk co...
Đọc thêm