Bind
Inhaltsverzeichnis
queries
- query bind server-version
dig @localhost version.bind txt chaos
security
- be authorative !!!1!!111!!einelf
- protect against ddos-enslaving
- nutze DNSSec!!
- verifiziere dnssec-keys!!
- erstelle keys um dynamische zone-updates zu erlauben!!!
keine updates auf basis von ip-adressen!!!!!
protect bind9 against ddos-enslaving
es gibt mehrere moeglichkeiten.
zum einen habe ich VIEW's eingefuehrt damit meine dns nach aussen 'nur' noch authoritativ antworten.
da meine dns-server ebenfalls SPF, DKIM und DNSSEC und nicht zuletzt IPv6 unterstuetzen, koennen antworten dennoch sehr gross sein.
dies ist fuer den betreiber eines servers, der nichts mit der anfrage zutun hat sehr
aergerlich, da seine bandbreite verbrannt wird.
das ganze potenziert sich wenn z.b. nicht eine einzelne adresse abgefragt wird, sondern anfragen vom type = ANY
gestellt werden. hier werden nicht selten responses erreicht die 30 - 50 records enthalten....
ich habe mich daher entschieden meinen bind9 so zu patchen, dass es NUR noch per TCP type = ANY anfragen beantwortet.
hier der patch:
--- bind9-9.8.4.dfsg.P1/bin/named/query.c.orig 2013-08-23 14:49:39.000000000 +0200
+++ bind9-9.8.4.dfsg.P1/bin/named/query.c 2013-08-22 14:11:53.000000000 +0200
@@ -7658,6 +7658,12 @@
if (dns_rdatatype_ismeta(qtype)) {
switch (qtype) {
case dns_rdatatype_any:
+ /* direct all TYPE=255/ANY queries to TCP */
+ if (qtype == dns_rdatatype_any &&
+ (client->attributes & NS_CLIENTATTR_TCP) == 0)
+ {
+ client->message->flags |= DNS_MESSAGEFLAG_TC;
+ }
break; /* Let query_find handle it. */
case dns_rdatatype_ixfr:
case dns_rdatatype_axfr:
dies sorgt dafuer, dass anfragen vom type=ANY mit dem hinweis abgelehnt werden, dass hierfuer nicht UDP sondern TCP verwendet werden muss und der client stellt seine anfrage erneut per TCP-protokoll. fuer legitime anfragen bedeutet das: es dauert ein paar millisekunden laenger bis die anfrage beantwortet ist.
fuer angreifer die einen DDoS durchfuehren wollen, ist dies allerdings ein problem. beim TCP protokoll kann man die absenderadresse nicht (so leicht) faelschen und es gehen nur noch winzige 'DNS_MESSAGEFLAG_TC' messages an den angegriffenen raus.
DNSSEC signing
MINI-MINI howto... ;-)
zuerst erstellen wir den ZSK (ZoneSigningKey) und den KSK (KeySigningKey)
cd /etc/bind # ZSK erstellen dnssec-keygen -a ECDSAP256SHA256 -e -n ZONE alg13.com # KSK erstellen dnssec-keygen -a ECDSAP256SHA256 -e -n ZONE -f KSK alg13.com
dies erstellt je 2 schluessel (public/private), also insgesamt 4 key's
z.b.
Kexample1.com.+005+61648 ==> ZSK
Kexample1.com.+005+22804 ==> KSK
wenn man vergessen hat, welcher key der KSK- bzw. der ZSK-key ist,
ist das nicht weiter schlimm...
wenn man in die publik key's rein schaut findet man etwas wie:
DNSKEY 256
dies ist der ZSK, oder:
DNSKEY 257
dann ist es der KSK
wenn man die key's beim signieren vertauscht, bekommt man fehlermeldungen beim signieren (No shit, Sherlock!) ;-)
die meldung am ende sieht dann in etwa so aus:
The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed.
dann die keys einfach vertauschen beim signieren und nochmal probieren...
nun packen wir den inhalt der .key dateien in unser zonen-file:
cat Kexample1.com*.key >> /var/cache/bind/example1.com.hosts
nun signieren wir unser zonen-file:
dnssec-signzone -s now+0 -e now+2419200 -o example1.com -k Kexample1.com.+005+22804 /var/cache/bind/example1.com.hosts Kexample1.com.+005+61648
-e now+2419200 = 30 days
wenn das fehlerfrei durchlaufen wird, bekommen wir die datei:
/var/cache/bind/example1.com.hosts.signed
diese machen wir nun unserem bind bekannt indem wir in
der named.conf folgende anpassungen machen:
options {
[...]
dnssec-enable yes;
[...]
};
[...]
zone "example1.com" {
[...]
file "/var/cache/bind/example1.com.hosts.signed";
[...]
};
nun noch ein:
/etc/init.d/bind9 restart
und testen obs geht:
dig @my-dnssec.server.tld example1.com any
dies sollte nun einiges an 'DNSKEY'-eintraegen zurueck geben.
DNSSEC verify
How to set up DNSSEC validation with BIND-9.7
- The root zone is now signed! It's time to install the trust anchor on your recursive name servers. Getting it is more fiddly than it should be, since BIND does not recognize the format of the trust anchor as it is published by IANA.
- Get the root DNSKEY RR set which is roughly what BIND requires for trust anchors.
$ dig +multi +noall +answer DNSKEY . >root-dnskey
The resulting file contains two keys, a short-lived zone-signing key (flags = 256) and the key-signing key (flags = 257) which is the one we care about.
. 86400 IN DNSKEY 256 3 8 (
AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7L
ccxNc6Qlj467QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYF
yTBt3DQppqDnAPriTwW5qIQNDNFv34yo63sAdBeU4G9t
v7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel8Icy19hR
) ; key id = 41248
. 86400 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
- Turn the DNSKEY into a DS RR set. The dnssec-dsfromkey program ignores the ZSK and only emits DS RRs for the KSK.
$ dnssec-dsfromkey -f root-dnskey . >root-ds
It emits two RRs, one using SHA-1 and one using SHA-256.
. IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
- Fetch https://data.iana.org/root-anchors/root-anchors.xml which contains a copy of the SHA-256 DS record in XML format.
<?xml version="1.0" encoding="UTF-8"?>
<TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93"
source="http://data.iana.org/root-anchors/root-anchors.xml">
<Zone>.</Zone>
<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
<KeyTag>19036</KeyTag>
<Algorithm>8</Algorithm>
<DigestType>2</DigestType>
<Digest>49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</Digest>
</KeyDigest>
</TrustAnchor>
- You can also fetch https://data.iana.org/root-anchors/root-anchors.asc and use it to verify the XML trust anchor using PGP.
- Verify that the XML trust anchor matches the DS record you generated from the DNSKEY record.
- Reformat the DNSKEY record into a BIND managed-keys clause. This tells BIND to automatically update the trust anchor according to RFC 5011.
managed-keys {
"." initial-key 257 3 8 "
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ";
};
- Add the managed-keys clause to your named.conf
- In the options section of named.conf you should have the directive
dnssec-lookaside auto;
This enables DNSSEC lookaside validation, which is necessary to bridge gaps (such as ac.uk) in the chain of trust between the root and lower-level signed zones (such as cam.ac.uk). BIND comes with a DLV trust anchor built in, which it will also update according to RFC 5011.
- $ rndc reconfig
- Check that DNSSEC validation is working. Verify that the "ad" (authenticated data) flag is present in the output of these commands:
$ dig +dnssec www.nic.cat. $ dig +dnssec www.cam.ac.uk.
The first of these is validated using a chain of trust from the root - DNSSEC as it is ideally intended to work. The second relies on the DLV stop-gap.
chain of trust
dns-key erstellen
dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com
dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden
um dynamische zone-updates zu erlauben.
die keys werden nach /etc/bind/ kopiert
dann muss man dann noch folgendes
ausserhalb der options-section in die named.conf eintragen:
[...]
key foo22.bar44.com. {
algorithm HMAC-MD5;
secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw==";
};
[...]
zone "foo22.bar44.com." {
[...]
allow-update {
key foo22.bar44.com.;
};
[...]
};
[...]
- secret = der wert aus Kfoo22.bar44.com.+157+06098.key (pub-key)
complete named.conf
controls {
unix "/var/run/bind/named.ctl"
perm 0600 owner <BIND-UID> group <BIND-GID>
keys { "rndc-key"; };
};
// key for zone foo22.bar44.com
key foo22.bar44.com. {
algorithm HMAC-MD5;
secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw==";
};
// i have an acl defining the openNIC root-servers
// these servers are responsible for domains like:
// .null, .geek, .indy, ...
// this is because i will not use openNIC root servers for general root-servers
// only forward-only zones will redirect the requests to these root's
// but you will have to add new zones for every new top-level domain
// openNIC will serve...
acl "openNICroots" {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
options {
pid-file "/var/run/bind/run/named.pid";
directory "/var/cache/bind";
statistics-file "/var/log/named.stats";
dump-file "/var/log/named.dump";
zone-statistics yes;
/*
// comment in if you run official zones only!!!!
blackhole {
10/8;
172.16/12;
192.168/16;
};
*/
auth-nxdomain no;
allow-query { none; };
allow-transfer {
127.0.0.1;
62.116.129.129; // ns9.schlundtech.de
62.116.163.100; // ns10.schlundtech.de
62.116.162.121; // ns10.schlundtech.de
};
max-transfer-time-in 10;
max-transfer-idle-in 5;
max-transfer-time-out 10;
max-transfer-idle-out 5;
serial-query-rate 20;
transfer-format many-answers;
transfers-in 80;
transfers-out 80;
transfers-per-ns 30;
tcp-clients 200;
max-cache-size unlimited;
cleaning-interval 60;
lame-ttl 1200;
version "Herr 2.7";
};
// MY Zones here...
zone "huetzelgruetzel.com" {
[....]
also-notify {
// notify my slaves explicily!
11.12.13.14;
11.12.13.15;
};
};
// openNIC zones
// sadly my ACL openNICroots is not usable in
// 'forwarders {};' definition!!! :-(
zone "geek" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "glue" {
type forward;
forward only;
forwarders {
//"openNICroots";
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "indy" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "null" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "oss" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "parody" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "ing" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "bbs" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "fur" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
zone "free" {
type forward;
forward only;
forwarders {
82.229.244.191;
88.191.51.140;
216.67.98.38;
216.87.84.209;
71.170.11.156;
58.6.115.42;
58.6.115.43;
};
};
