![Page 1: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/1.jpg)
Advanced Module 3
Stealth Configurations
![Page 2: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/2.jpg)
DNS Stealth Configurations Stealth (aka DMZ, Split) Definition:
Public and Private Resources (IP addresses and services)
Separation of Public and Private Protection of DNS Zone files
![Page 3: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/3.jpg)
DNS - Stealth Configuration
![Page 4: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/4.jpg)
DNS Stealth Configurations Same Domain Name - Public and Private
zone files Hidden Master Slave Only Configuration
Secure Zone Transfers from Hidden Master Private Clients want to query Non-standard ports (ZT and Query) Use of BIND9's view clause NAT Gateway?
![Page 5: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/5.jpg)
DNS - Hidden Master
![Page 6: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/6.jpg)
DNS - Hidden Master A Registered domain needs two or more
Name Servers Resolver start (1) with Root/TLD and use
referrals (delgation) Referrals (2) always go back to the
Resolver Slaves (3) respond Authoritatively Zone Transfers (4) - use IP/Crypto controls
with Non-standard ports Master only visible to slaves
![Page 7: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/7.jpg)
DNS - Stealth Configuration
![Page 8: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/8.jpg)
DNS - Internal Resolver Public Servers (1) are slaves - only use
Public zone files Master (2) uses non-standard port Zone
Transfer with crypto (TSIG) Private DNS (3) has only private zone files Users need Recursive queries for normal
web access Public (Recursive) Queries (4) go thru
firewall/NAT
![Page 9: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/9.jpg)
DNS - Stealth Configurationoptions { ... // Private DNS (3) recursion yes; allow-recursion {172.18/16;}; // cache access};
// required zone for recursive queries// transactions will pass through a classic firewallzone "." { type hint; file "root.servers";};// zone clause - master for example.comzone "example.com" in{ type master; file “private/example.com”; ...};// required local host domain// localhost reverse map// reverse map for local address at example.com// uses 192.168.254.0 for illustration
![Page 10: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/10.jpg)
DNS - Stealth Configurationoptions { ... // Public DNS (1) recursion no;};
// zone clause - master for example.comzone "example.com" in{ type master; file “public/example.com”; ...};// localhost/reverse localhost// maybe
![Page 11: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/11.jpg)
DNS - Stealth Configuration
![Page 12: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/12.jpg)
DNS - External Resolver Public Servers (1) are slaves - only use Public
zone files but also provides Recursive service to Private Clients
Master (2) uses non-standard port Zone Transfer with crypto (TSIG)
Private DNS (3) has only private zone files Users need Recursive queries for normal web
access Public (Recursive) Queries (4) use a
Forwarding DNS (with non-std port) to DNS (1)
![Page 13: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/13.jpg)
DNS - Stealth Configurationoptions { ... // Private DNS (3) recursion no;};
// required zone for recursive queries// uses stealth port 2053zone "." { type forward; forward only; forwarders {192.168.2.3 port 2053; 192.268.2.4 port 2053};};// zone clause - master for example.comzone "example.com" in{ type master; file “private/example.com”; ...};// required local host domain// localhost reverse map// reverse map for local address at example.com// uses 192.168.254.0 for illustration
![Page 14: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/14.jpg)
DNS - Stealth Configurationoptions { ... // Public DNS (1) recursion yes; allow-recursion(10.0.0.3;}; // private forward DNS listen-on port 53 {192.168.2.3;}; listen-on port 2053 {192.168.2.3;};};
// zone clause - master for example.comzone "example.com" in{ type master; file “public/example.com”; ...};// normal hints zonezone "." { type hint; file "root.servers";};// localhost/reverse localhost// maybe
![Page 15: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/15.jpg)
DNS - Using View Clause A single DNS can be configured to support
both Private and Public capabilities Maintains two logically separate views Clients can connect to private or public
services Does not need Firewall (?) Vulnerable if filesystem compromise Uses: match-clients {ip list;);
Match-destinations {ip list;);
match-recursion-only {ip list;);
![Page 16: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/16.jpg)
DNS - Bind9 View
![Page 17: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/17.jpg)
DNS - Using View Clause DNS Server (1) has public and Private views Hidden Master (2) Clients access Private side only for
Authoritative (3) and Recursive (4) queries Private side issues Public (5) (Recursive
queries) Server's Public view only answers public
queries
![Page 18: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/18.jpg)
DNS - using View Clauseoptions { // Public/Private DNS (1) ... recursion no;};view “private” { match-clients {localnets;localhost;}; recursion yes; allow-recursion {localnets;localhost;}; // zone is private zone “example.com” { type master; file “private/example.com”; ... }; // zone files for hints, localhost, local reverse map};view “public” { match-clients {any;}; recursion no; zone "example.com" in{ type slave; file “public/example.com”; ... }; // zone files for localhost};
![Page 19: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/19.jpg)
DNS - Using View Clause views order is significant - match-client
{any;}; in the public view is an else condition Private cache is polluted with public data Single server Can be routed through firewall or not Breaking of filesystem will allow reading of
private data
![Page 20: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/20.jpg)
DNS - Admin security Bind runs as root until it has assembled all its
files - permissions can be very tight especially on included files
Files: named.conf - contains sensitive information
especially where private views are involved key files - always include (0600 root:wheel) zone files - only private ones log files - in shared public/private
rndc - think very carefully
![Page 21: Advanced Module 3 Stealth Configurations. DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and](https://reader035.vdocuments.net/reader035/viewer/2022062308/56649dd95503460f94ace274/html5/thumbnails/21.jpg)
Quick Quiz Should a public DNS server support
recursion?
Must the master NS be defined when you register a domain?
Name at least two statements that can be used to select view users?
Does an Authoritative Server need a hints zone clause?
Should key clauses ever defined in named.conf?