Hello everybody!!
For today i have the second part of bind. In this part i’ll explain how to ensure our environment and prevent the DNS cache spoofing with the DNS extensions DNSSEC. DNSSEC offers the authenticity and integrity of the DNS records, not encrypt the communication between servers or clients.
First we’ll jail the named service in a chroot environment and limit user (named). In this part we have to do both the parent and the subdomain servers:
Chroot bind jail (Parent domain && subdomain)
1.- Create directory tree:
# mkdir /var/named/chroot/ # mkdir -p /var/named/chroot/var/run # mkdir /var/named/chroot/var/named # mkdir /var/named/chroot/dev # mkdir -p /var/named/chroot/etc/named # mkdir -p /var/named/chroot/usr/lib/bind # cp /etc/named.conf /var/named/chroot/etc/named.conf # cp /var/named/* /var/named/chroot/var/named # chown -R named:named /var/named/chroot/ # chmod -R 700 /var/named/chroot/
2- Create special files used by named:
# mknod /var/named/chroot/dev/null c 1 3
# mknod /var/named/chroot/dev/random c 1 8
# chmod 666 /var/named/chroot/dev/{null,random}
3.- In /etc/default/named add:
ROOTDIR="/var/named/chroot"
4.- Edit SELINUX file (/etc/selinux/config) and disable it persistent:
SELINUX=disabled
5.- Disable SELINUX for now:
# setenforce 0
6.- Restart named:
# service named restart
7.- Check the named service is running in the new directory:
# ps aux | grep bind
In DNSSEC appear new register records:
- DNSKEY: is the public key, each zone has two keys KSK (key sign key) and ZSK (zone sign key) and appears in the zone file.
- RRSIG: is the sign of each RRset.
- NSEC: is used by negative answer, and ensure the register request don’t exist.
- DS: is the sign of a DNSKEY. This register appears in the parent zone and ensure the authenticity of the public key subdomain.
The KSK is used to sign the ZSK and the ZSK for sign the zones. In this scenario we have 2 servers one parent domain (mydomain.com) and one subdomain (subdomain.mydomain.com), with this servers we’ll create a chain of trust.
First we’ll generate the pair of keys ZSK and KSK, in each server. Next we have to include the public keys in the zone file and sign the subdomain server. When we sign the subdomain server, generate two files the file zone signed and the DS record for the parent domain, we have to copy this file and include this record on file zone parent, then we can sign the parent zone.
DNSSEC
Parent domain && Subdomain
1.- Generate the pair keys KSK and ZSK:
# dnssec-keygen -a rsasha1 -b 1024 -r /dev/urandom -n ZONE mydomain.com # dnssec-keygen -a rsasha1 -b 2048 -r /dev/urandom -n ZONE -f KSK mydomain.com
2.- Add the KSK and ZSK to te zone files:
-Parent domain:
# cat Kmydomain.com.+005+14091.key >> /var/named/chroot/var/named/zone.mydomain.com
# cat Kmydomain.com.+005+65187.key >> /var/named/chroot/var/named/zone.mydomain.com
– Subdomain:
# cat Ksubdomain.mydomain.com.+005+65187.key >> /var/named/chroot/var/named/zone.subdomain.mydomain
# cat Ksubdomain.mydomain.com.+005+12934.key >> /var/named/chroot/var/named/zone.subdomain.mydomain
Subdomain
1.- Sign zone subdomain.mydomain.com:
# dnssec-signzone -o subdomain.mydomain.com /var/named/chroot/var/named/zone.subdomain.mydomain
2.- Edit /var/named/chroot/etc/named.conf:
dnssec-enable yes; file "zone.subdomain.mydomain.signed";
3.- copy the dsset file to domain parent (this require enable ssh server in the domain parent):
# scp /var/named/chroot/var/named/dsset-subdomain.mydomain.com 192.168.1.34:/var/named/chroot/var/named/dsset-subdomain.mydomain.com
4.- Restart named:
# service named restart
Parent Domain
1.- add the dsset to the zone file:
# cat /var/named/chroot/var/named/dsset-subdomain.mydomain.com >> /var/named/chroot/var/named/zone.mydomain.com
2.- Sign the zone:
# dnssec-signzone -o mydomain.com /var/named/chroot/var/named/zone.mydomain.com
3.- change the file name and enable dnssec in /var/named/chroot/etc/named.conf:
# dnssec-enable yes;
file “zone.mydomain.com.signed”;
Final checks
1.- A negative answer with NSEC:
# dig +dnssec @192.168.1.37 ppp.subdomain.mydomain.com
2.- Check the DNSSEC set of the subdomain server:
# dig +dnssec @192.168.1.37 subdomain.mydomain.com
More in the next post!! Bye bye!!