Secured Dynamic Updates

Similar documents
Domain Name System - Advanced Computer Networks

By Paul Wouters

DEPLOY A DNS SERVER IN A SECURE WAY

Configuration of Authoritative Nameservice

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Maintained and stored on the domain s master name server Two types of entries. Used to store the information of The real part of DNS database

Computer Center, CS, NCTU. Outline. Installation Basic Configuration

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

OPS535 Lab 5. Dynamic DNS. RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE)

CIA Lab Assignment: Domain Name System (1)

Reverse DNS Overview

certbot-dns-rfc2136 Documentation

APNIC elearning: DNS Concepts

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

Authoritative-only server & TSIG

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

DNS Session 2: DNS cache operation and DNS debugging. Joe Abley AfNOG 2006 workshop

New Challenges and Dangers for the DNS. Jim Reid ORIGIN TIS-INS

Lab 6 Implementing DNSSEC

SOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION

DNSSEC Operational HOWTO. Contents. Olaf M. Kolkman. RIPE NCC November 12, 2002 Revision : 1.3. I DNSSEC Tutorial 4

DNS Session 2: DNS cache operation and DNS debugging. How caching NS works (1) What if the answer is not in the cache? How caching NS works (2)

DNS Configuration Guide. Open Telekom Cloud

APNIC DNS/DNSSEC Workshop

DNS. Karst Koymans & Niels Sijm. Friday, September 14, Informatics Institute University of Amsterdam

DNS. Introduction To. everything you never wanted to know about IP directory services

DNS / DNSSEC Workshop. bdnog November 2017, Dhaka, Bangladesh

Managing Authoritative DNS Server

Experience from a Swedish Agency and a Nordic operator

Based on Brian Candler's materials ISOC CCTLD workshop

Oversimplified DNS. ... or, even a rocket scientist can understand DNS. Step 1 - Verify WHOIS information

Domain Name System (DNS) Session 2: Resolver Operation and debugging. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

Managing Zones. Staged and Synchronous Modes CHAPTER. See Also

DNSSEC All You Need To Know To Get Started

Dynamic Registry Updates. John Dickinson Senior Researcher Nominet UK

Some advanced topics. Karst Koymans. Tuesday, September 16, 2014

DNS Session 1: Fundamentals. Based on Brian Candler's materials ISOC CCTLD workshop

BIND 9 Administrator Reference Manual

RHCE BOOT CAMP BIND. Wednesday, November 28, 12

6to4 reverse domain delegation in ip6.arpa

How to Add Domains and DNS Records

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

Welcome! Acknowledgements. Introduction to DNS. cctld DNS Workshop October 2004, Bangkok, Thailand

1 Release Notes for BIND Version b1

1 Release Notes for BIND Version

DNS. Some advanced topics. Karst Koymans. Informatics Institute University of Amsterdam. (version 17.2, 2017/09/25 12:41:57)

DNS & DHCP CONFIGURATION

Domain Name System Security

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

DNS Concepts. Acknowledgements July 2005, Thimphu, Bhutan. In conjunction with SANOG VI. Bill Manning Ed Lewis Joe Abley Olaf M.

Web Portal User Manual for

Linux Network Administration

1 Release Notes for BIND Version

BIND 9 Administrator Reference Manual. BIND Version P3

Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University

Domain Name System Security

Running the Setup Web UI

Configuring DNS. Finding Feature Information

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.

IT341 Introduction to System Administration Project V Implementing DNS

Domain Name System Security

DNSSEC for Humans and BIND 10. Paul Vixie Internet Systems Consortium June 9, 2011

DNSSEC HOWTO. A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, $Revision: $

DNS / DNSSEC Workshop. bdnog May 2017, Bogra, Bangladesh

Setting up DHCP, DNS and NFS on the CLTC Server

Session J9: DNSSEC and DNS Security

Course Outline: Linux Professional Institute-LPI 202. Learning Method: Instructor-led Classroom Learning. Duration: 5.00 Day(s)/ 40 hrs.

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

BIG-IP DNS Services: Implementations. Version 12.0

Much is done on the Server, it20:

Lesson 9: Configuring DNS Records. MOAC : Administering Windows Server 2012

BIG-IP DNS Services: Implementations. Version 12.1

Networking Applications

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

TWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) Why do we need DNSSEC? Many application depend on DNS DNS is not secure. There are known vulnerabilities

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Migrating an OpenDNSSEC signer (February 2016)

S Computer Networks - Spring What and why? Structure of DNS Management of Domain Names Name Service in Practice

1 Release Notes for BIND Version b2

IPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Domain Name System (DNS)

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

CSE 265: System & Network Administration

Remote DNS Cache Poisoning Attack Lab

The Domain Name System

NIC Chile Secondary DNS Service History and Evolution

DNS / DNSSEC Workshop

phoenixnap Client Portal

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

Homenet Naming DHCP Options

Remote DNS Cache Poisoning Attack Lab

Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Tasks (Part I): Setting Up a Local DNS Server. SEED Labs Local DNS Attack Lab 1

DNS Naming for Windows DECUS Symposium in Bonn 2002

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.

Application Session (Hands-on) Athanassios Liakopoulos (GRNET) version 1.01

Chapter 19. Domain Name System (DNS)

6to4 reverse domain delegation ip6.arpa

Transcription:

Secured Dynamic Updates

Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 Snapshot code is available for this BIND 9.2 can perform most of the dynamic update features

Outline Dynamic Update Basics Setting Up A Dynamic Zone Tools Securing It Authorization Configuration Playing with Update Commands Interactions with DHCP

Getting Data Into DNS Zone File $origin z. @ soa ns ro ns ns1. ns a 1.1.1.1 Primary NS Dynamic Update Network Database AXFR Secondary NS

Advantages of Dynamic Updates Change DNS data quickly Make changes from anywhere No need to reload whole zone Data becomes more current

Uses of Dynamic Update Adding a new delegation to a large zone Cut down on reload times Conference attendees Laptops can use same name, new IP

Risks of Dynamic Update Authoritative servers listen to the network for data Authorization checks needed before accepting a request Server risks being tied up with updates Dynamic zones are hard to edit via "the old ways"

Other Considerations Once a zone goes dynamic, it is hard to edit Mixing dynamic data and critical static data is a bad idea, even neglecting security concerns This isn't meant to scare you from dynamic update, but to alert you

"Secure" Dynamic Update Secure refers to the safety of the update requests Only the right clients will be able to get data into the zone Limitations on the term "secure" Won't stop anyone issuing bad requests Doesn't address DNSSEC, adding digital signatures to the zone

Tools In order to do any of this, we need tools (software) All are part of a BIND 9 distribution named - the server, concentrating on conf file dig - a query/response tool nsupdate - issues dynamic update messages rndc - remote name server daemon control dnssec-keygen - makes the keys needed

A static zone zone "myzone.example." { type master; file "myzone.example."; allow-transfer { any; }; };

Adding a dynamic zone zone "myzone.example." { type master; file "myzone.example."; allow-transfer { any; }; }; zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { any; }; allow-update { any; }; }; //note: on-line slide is different

dynamic.myzone.example > cat db.dynamic.myzone.example $ORIGIN dynamic.myzone.example. $TTL 1d ; 1 day @ IN SOA ns1 root ( serial 1 ; (30 minutes) 30m ; refresh minutes) 15m ;retry (15 (19h12m) 19h ;expire 18min ;minimum (18min) ) NS ns1.myzone.example

Journal Files Once a dynamic zone begins running A journal file (<zonefile>.jnl) is created when the first dynamic update has been made This binary, non-text file maintains all updates in recent times Updates aren't immediately reflected in the original <zonefile>, but they are eventually Journal entries are written to the zone file at server shutdown (and on demand)

dig Basic debugging aid dig @server domain.name type Used to verify that change has been made Used to verify that SOA number increments

dig examples > dig @127.0.0.1 version.bind chaos txt > dig @127.0.0.1 myzone.example. soa +multiline > dig @127.0.0.1 dynamic.myzone.example. soa

nsupdate Generates updates based upon user input Used to make requested updates

nsupdate example % nsupdate > server 127.0.0.1 > zone dynamic.myzone.example. > update add alu.dynamic.myzone.example. 600 A192.168.160.1 > update add dynamic.myzone.example. 600 MX 10 alu > send > quit Just to check our work... % dig @127.0.0.1 alu.dynamic.myzone.example. A % dig @127.0.0.1 dynamic.myzone.example. MX

rndc "Remote" management of server, usually across 127.0.0.1 Used to stop, reload server Used to freeze and unfreeze dynamic zone { available in BIND 9.3 }

rndc examples % rndc -c rndc.conf status % rndc -c rndc.conf reload % rndc -c rndc.conf freeze dynamic.myzone.example % rndc -c rndc.conf unfreeze dynamic.myzone.example % rndc -c rndc.conf stop NOTE: "freeze" and "unfreeze" are introduced in BIND 9.3

dnssec-keygen Simple tool to generate keys Used for DNSSEC too Used here to generate TSIG keys Used also to generate SIG(0) keys - in version 9.3

dnssec-keygen tsig example % dnssec-keygen -a HMAC-MD5 -b 128 -n host sample.tsig.key Ksample.tsig.key.+157+02308 % ls Ksample* Ksample.tsig.key.+157+02308.key Ksample.tsig.key.+157+02308.private

dnssec-keygen sig(0) example % dnssec-keygen -a RSA -b 512 -n host sample.tsig.key Ksample.tsig.key.+001+18681 % ls Ksam* Ksample.tsig.key.+001+18681.key Ksample.tsig.key.+157+02308.key Ksample.tsig.key.+001+18681.private Ksample.tsig.key.+157+02308.private

"Secured" Dynamic Update Limited to the security of the requests Dynamic Updates to a DNSSEC zone is a work in progress Two steps Identify and authenticate the updater Determine if updater is authorized

Steps Create a separate zone for dynamic updates (Done) Configure keys Configure policy

Configuring Keys Two styles TSIG - shared secret SIG (0) - public key TSIG works in 9.2, secret needed in named.conf (or include ) and in client SIG(0) needs 9.3, public key listed in the zone file (not in named.conf) and private key in client

TSIG keys Issue: Naming the key Name is arbitrary, but must be consistent between the named.conf and client There is an advantage to making it the same as a domain in the zone To test the keys, turn on key-based authorization of AXFR - just for testing

Making TSIG keys dnssec-keygen -a HMAC-MD5 -b 128 -n host \ slave1.dynamic.myzone.example. dnssec-keygen -a HMAC-MD5 -b 128 -n host \ slave2.dynamic.myzone.example. ls: Kslave1.dynamic.myzone.example.+157+42488.key Kslave1.dynamic.myzone.example.+157+42488.priva te Kslave2.dynamic.myzone.example.+157+57806.key Kslave2.dynamic.myzone.example.+157+57806.priva te

Adding TSIG to named.conf key slave1.dynamic.myzone.example." { }; algorithm HMAC-MD5; secret "sd7qi6tiw+n5fk3mgndnju9twiju+1ye7r2shgfkxig="; key slave2.dynamic.myzone.example." { }; algorithm HMAC-MD5; secret "KXMoZHZIIxVsxKp4aUp6YTy3EswUN9CeDEpneJDOgVM=";

Configuring TSIG AXFR Just so we can see that the keys work zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { key slave1.dynamic.myzone.example.; key slave2.dynamic.myzone.example.; }; allow-update { 127.0.0.1; }; };

Testing with dig Fails: % dig @127.0.0.1 dynamic.myzone.example. axfr Succeeds: % dig @127.0.0.1 dynamic.myzone.example. axfr -y slave1.dynamic.myzone.example.:kxmozhziixvsxk p4aup6yty3eswun9cedepnejdogvm= This shows that the TSIG key is properly configured in named.conf

Key based dynamic updates (TSIG) zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { key slave1.dynamic.myzone.example.; key slave2.dynamic.myzone.example.; }; allow-update { key user1.dynamic.myzone.example.; key user2.dynamic.myzone.example.; }; };

"Keying" nsupdate The next three slides show different ways to add key information to nsupdate first hides key from "ps -aux" by entering it interactively second hides it by referencing the file it is in last puts the secret on the command line

Keyed nsupdate #1 % nsupdate > zone dynamic.myzone.example. > server 127.0.0.1 > key user1.dynamic.myzone.example. sd7qi6tiw+n5fk3mgndnju9twiju+1ye7r2shgfkxig= > update add puri.dynamic.myzone.example. 600 A 192.168.50.1 > send % dig @127.0.0.1 puri.dynamic.myzone.example A

Keyed nsupdate #2 % nsupdate -k Kuser1.dynamic.myzone.example.+157+57806. > zone dynamic.myzone.example. > server 127.0.0.1 > update add alu.dynamic.myzone.example. 900 A 192.168.50.2 > Send % dig @127.0.0.1 alu.dynamic.myzone.example A

Keyed nsupdate #3 % nsupdate -y Kuser1.dynamic.myzone.example.:sd7qi6tiw+N5fK3mGND NJU9TwIju+1ye7r2shgfkxIg= > zone dynamic.myzone.example. > server 127.0.0.1 > update add palak.dynamic.myzone.example. A 90 192.168.50.2 > send % dig @127.0.0.1 palak.dynamic.myzone.example. A

Interaction with DHCP See the following URL for in-depth information http://ops.ietf.org/dns/dynupd/secureddns-howto.html

How DHCP and DynUp Look Mirchi.net. 32.7.275.in-addr.arpa. DNS Home leases for 275.7.32.0-127 DHCP chawla.mirchi.net apnic16.apnic.net 32.43.320.in-addr.arpa. leases for 320.43.32.0-127 DNS DHCP @APNIC 16

How This Happens, part 1 Host has a TSIG/SIG(0) to update the entry chawla.mirchi.net. A 275.7.32.17 Home DHCP can change 32.7.275.inaddr.arpa. (via TSIG/SIG(0)) 17.32.7.275.in-addr.arpa PTR chawla.mirchi.net. APNIC16 DHCP can change 32.43.320.inaddr.arpa. 17.32.43.320.in-addr.arpa PTR chawla.mirchi.net.

At Lease Change Time When releasing home address Home DHCP removes the PTR record Host alters/removes its A RR Done via scripts (depends on DHCP software) When gaining APNIC 16 lease APNIC 16 DHCP adds a PTR record Host registers an A RR with the home server

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback