dnssec - what is it ? install and configure in chroot jail
If you can't read please download the document
DESCRIPTION
Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service. By Utah Networxs Follow - @fabioandpires Follow - @utah_networxsTRANSCRIPT
- 1. DNSSEC WHAT IS IT ?
2. WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINEDMORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTSLPI-C ATP IN BRAZILMORE: www.utah.com.br 3. SOCIAL MEDIAFollow! @fabioandpiresFollow! @utah_networxs Enjoy! Utah Networxs 4. Speaker: Fabio PiresMini Curriculum:Graduated in Computer ScienceGraduated in Bachelor of ComputingPost Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLALPICTeacher of Undergraduate and Graduate Twitter in Spare TimeContact: [email protected] 5. WHAT IS DNS SERVER ?DNS DOMAIN NAME SYSTEM Management system is ahierarchical name and distributed operating on two definitions:1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs). 6. TYPE OF DNS ?The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machinesaround the world, they need to resolve domain names in the areaover which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, inorder to obtain answers to queries made. 7. DNS RFCSThe roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034http://tools.ietf.org/html/rfc1035 8. THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs(Generic Top Level Domains - generic domains used worldwide)and ccTLDs (Country Code Top Level Domains - domainextensions administered by countries). 9. THE DNS ROOT SERVER WORD MAP 10. OPERATION OF DNS SERVER 11. WHY DNS SERVER ARECOMPROMISED?DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING;Reponse Same UDP Port QUESTION section refered true questionQUERY ID fits QUESTIONSection AUTHORITY and ADDITIONAL name is the same domain QUERY 12. Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two sharesUsed mainly in zone transfers (master and slave) same domain QUERY 13. TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system ofasymmetric keys.This means that someone with a domain compatible withDNSSEC has a pair of electronic keys consisting of a private key and a public key. 14. DNS VS DNSSEC 15. PRATICE DNS SERVER #CHROOT JAIL 16. CHROOT BIND IN CHROOT JAIL /bin boot bin chroot bootdev devetc etc home homeliblibmnt mntopt opt proc procrootrootsbinsbin devtmp tmpetc bindusr usrlibvar varlib named var 17. MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chrootroot@moe:~# apt-get install debootstraproot@moe:~# cd /chrootroot@moe:~# debootstrap squeeze . 18. SOLVED FUTURE JAIL PROBLEMS01 Mount /dev/ and /dev/pts devicesroot@moe:~# mount --bind /dev /chroot/devroot@moe:~# mount --bind /dev/pts/chroot/dev/pts02 Set CHROOT jailroot@moe:~# cd ..root@moe:~# chroot /chroot 19. INSTALL PACKAGESroot@moe:~# apt-get install sysklogd openssh-server vim bind9MAIN CONFIG BIND9 FILES/etc/bind/etc/default/bindBIND9 SCRIPT INIT/etc/init.d/bind9 20. MAKE DIRECTORIESroot@moe:~# mkdir -p /var/lib/namedroot@moe:~# mkdir -p /var/lib/named/etc/bindroot@moe:~# mkdir -p /var/lib/named/devroot@moe:~# mkdir -p /var/lib/named/var/cache/bindroot@moe:~# mkdir -p /var/lib/named/var/run/bind/runroot@moe:~# mkdir -p /var/lib/named/var/run/namedroot@moe:~# mkdir -p /var/lib/named/lib 21. EDIT DEFAULT FILESroot@moe:~# vi /etc/bind/defaultChange:OPTIONS=-u bindTo:OPTIONS=-u bind -t /var/lib/namedroot@moe:~# vi /etc/init.d/bind9Change:OPTIONS=-u bindTo:OPTIONS=-u bind -t /var/lib/named 22. COPY BIND PACKAGE FILES root@moe:~# cp R /etc/bind/* /var/lib/named/etc/bind/CHANGE DEFAUL OWNERUSER AND GROUP root@moe:~# chown R bind.bind /var/lib/named 23. CREATE BLOCK FILESroot@moe:~# cd /var/lib/named/devroot@moe:~# mknod null c 1 3root@moe:~# mknod random c 1 8root@moe:~# mknod zero c 1 5root@moe:~# mknod urandom c 1 9 24. RESTART BIND9 SERVICEroot@moe:~# invoke-rc.d bind9 restart 25. MAIN CONFIGURE FILESnamed.confnamed.conf.optionszones/db.direta.internazones/db.reversa.internazones/db.direta.externazones/db.reversa.externa 26. ACLS AND VIEWS CONCEPTACL Access Control List Views 27. CONFIGURE NAMED.CONFacl intranet { 192.168.0.0/16; };acl extranet { 0.0.0.0/0; }; 28. CONFIGURE NAMED.CONFview bsidesplocal {match-clients { "intranet" ;};zone "bsidesp.utah.net.br" {type master;file "/etc/bind/zones/db.interna.direta";allow-transfer { 192.168.0.220; };update-policy local;key-directory "/etc/bind/zones/keys";also-notify { 192.168.0.220; };notify yes;};zone "0.168.192.in-addr.arpa" {type master;file "/etc/bind/zones/db.interna.reversa";allow-transfer { 192.168.0.220; };update-policy local;key-directory "/etc/bind/zones/keys";also-notify { 192.168.0.220; };notify yes;};}; 29. CONFIGURE NAMED.CONFview bsidespweb {match-clients { "extranet" ;};zone "bsidesp.utah.net.br" {type master;file "/etc/bind/zones/db.externa.direta";allow-transfer { 189.99.99.9; };update-policy local;key-directory "/etc/bind/zones/keys";also-notify { 189.99.99.9; };notify yes;l};zone "99.99.199.in-addr.arpa" {type master;file "/etc/bind/zones/db.externa.reversa";allow-transfer { 189.99.99.9; };update-policy local;key-directory "/etc/bind/zones/keys";also-notify { 189.99.99.9; };notify yes;};}; 30. NAMED.CONF GLOSSARYLine beginning with / / = commented lineinclude = Includes the specified fileacl = Defines an Access ListZone = Sets a Zonetype = Defines the type of zonefile = Shows the full path of the configuration of the zoneallow-transfer servers = Sets Slaves to receive updates from this serverupdate-policy local = Line used to update automatic spot in our case usedto re-sign zones automatically expire before the keyskey-directory = Indicates the directory that contains the key areasnecessary to update-policy is successfulalso-notify = Indicates that the master server sends updates to the slaveserver every time bind restartsNotify = defines whether or not there will be no notifications area 31. DB.ZONES FILESroot@moe:~# mkdir /var/lib/named/etc/bind/zonesroot@moe:~# chown bind.bind /var/lib/named/etc/bind/zones 32. DIRECT ZONE EXAMPLE$TTL 86400l@IN SOAmoe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. (ll2012101801 ; Seriall1200 ; Refreshl2400 ; Retryl4800 ; Expirel1209600 ) ; Negative Cache TTLl;ll@IN NSmoe.bsidesp.utah.net.br.l@IN NShomer.bsidesp.utah.net.br.l@IN MX 5 moe.bsidesp.utah.net.br.l@IN MX 10 homer.bsidesp.utah.net.br.l@IN A189.100.100.10l@IN A189.99.99.9llmoe IN A 189.99.99.9lhomer IN A187.100.100.10lftp IN CNAME homer.bsidesp.utah.net.br.lpop IN CNAME homer.bsidesp.utah.net.br 33. REVERSE ZONE EXAMPLE$TTL 86400@IN SOAmoe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL;@ IN NS moe.bsidesp.utah.net.br.@ IN NS homer.bsidesp.utah.net.br.@ IN MX5moe.bsidesp.utah.net.br.@ IN MX10 homer.bsidesp.utah.net.br.9INPTRmoe.bsidesp.utah.net.br.10IN PTR homer.bsidesp.utah.net.br.10IN PTR www.bsidesp.utah.net.br.10IN PTR ftp.bsidesp.utah.net.br.10IN PTR pop.bsidesp.utah.net.br. 34. GLOSSARY ZONE FILETTL = Time in seconds that the record of the zone remains in the cache server;Serial Number = reference to a server SLAVE whether there were changes in configuration fileof the zone;Refresh = Time in seconds that the secondary server will wait to check forupdates on the primary server;Retry = Time in seconds in case of failure of the refresh until the next check;Expires = Time in seconds that the secondary server continues answering the area if theprimary server is out of the air, since this time the exhaustedalso secondary server stops responding to this area;Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cachestores the information before starting a new searchrecursive;NS = Name ServerA = Host (IP)MX = Mail BoxAlias = aliases are at the end of the file structure as above, there are the nicknames definedzone as www, ftp, smtp, etc. .. 35. GLOSSARY ZONE FILETTL = Time in seconds that the record of the zone remains in the cache server;Serial Number = reference to a server SLAVE whether there were changes in configuration fileof the zone;Refresh = Time in seconds that the secondary server will wait to check forupdates on the primary server;Retry = Time in seconds in case of failure of the refresh until the next check;Expires = Time in seconds that the secondary server continues answering the area if theprimary server is out of the air, since this time the exhaustedalso secondary server stops responding to this area;Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cachestores the information before starting a new searchrecursive;NS = Name ServerA = Host (IP)MX = Mail BoxAlias = aliases are at the end of the file structure as above, there are the nicknames definedzone as www, ftp, smtp, etc. .. 36. CLOSE RECURSIVE QUERYroot@moe:~#vi /var/lib/named/etc/bind/named.conf.optionslauth-nxdomain no;# conform to RFC1035listen-on-v6 { any; };allow-query { internals; externals; };allow-recursion { internals; };dnssec-enable yes;l 37. MAKE KEY DNSSECroot@moe:~#mkdir /var/lib/named/etc/bind/zones/keysroot@moe:~#chown bind.bind /var/lib/named/etc/bind/zones/keysroot@moe:/var/lib/named/etc/bind/zones/keys#dnssec-keygen r /dev/urandom f KSK a RSAMD5b 2048 K /var/lib/named/etc/bind/zones/keys n ZONE bsidesp.utah.net.br 38. GLOSSARY OPTIONS-r = device-ramdomizao-type f = key-a = Encryption Algorithm-b = Key Size-K = Directory Keys-n = Zone 39. ASSIGN ZONESroot@moe:/var/lib/named/etc/bind/zones/keys#ldnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -Nunixtime o bsidesp.utah.net.br/var/lib/named/etc/bind/zones/db.externa.direta 40. GLOSSARY OPTIONSS = Signature-intelligent, search keys zone;-z = Ignores the SEP bit key and signs throughout the area;-K = Directory of the Keys;N-Format = Serial SOA, in our case we use unixtime toincrement the serialwith the signature;-o = Zone and Zone Configuration File. 41. CHANGE NAMED.CONFview bsidespweb {match-clients { "extranet" ;};zone "bsidesp.utah.net.br" {type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes;l};zone "99.99.199.in-addr.arpa" {type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes;};}; 42. SHARED IN REGISTRO.BR 43. GET KEYTAG AND DIGESTroot@moe:/var/lib/named/etc/bind/zones/keys#cat bsidesp.utah.net.br | head -1bsidesp.utah.net.br IN DS 51074 1 1D836A983AE90B051414E88D62379A94C9C9F71DDKeytag = 51074Digest = D836A983AE90B051414E88D62379A94C9C9F71DD 44. DOBTS ? SPECIAL THANKSISAIAS SOUZA SILVA 45. SOURCES OF RESEARCHBIND9 PROJECThttps://www.isc.org/software/bindREGISTRO.BRwww.registro.brQGSEGhttp://www.qgseg.com.br/WIKIPEDIAhttp://pt.wikipedia.org