Post on 21-Dec-2015
transcript
Resources DNS and BIND, 4th Edition, by Paul
Albitz & Cricket Liu Microsoft Win2000 DNS
Documentation: http://www.microsoft.com/TechNet/win2000/win2ksrv/reskit/tcpch06.asp
Copy of the PowerPoint presentation: http://paws.flcc.edu/~krampwd/presentations/DNS/index.htm
Presentation Topics BIND 9.1.x DNS Features BIND 9.1.x Diagnostic Tools DNS Security Practices DNS Security Extensions DNS and DHCP with Win2000
What is DNS? DNS stands for Domain Name
System. A distributed database that
matches domain names to IP numbers.
Developed in the mid-1980’s to replace the use of the hosts file.
BIND 9.1.x DNS Features Multiple Views Multiprocessor Support IP Version 6
A6 DNAME Bitstring Labels
Functional DNSSEC
BIND 9.1.x - Diagnostic Tools Named-checkconf – Will check the
configuration file (named.conf) for any syntax errors.
Named-checkzone – Will check a specified zone file for syntax errors.
Example: named-checkzone /path/db.flcc
DNS Security Practices Operating System Security Restricting Access Transaction Signatures (TSIG) List of BIND vulnerabilities:
http://www.isc.org/products/BIND/bind-security.html
A Popular Port to Probe On dShields web site
http://www.dshield.org, DNS was the single most probed port at 13%, with port 111 (rpc) second at 7% on June 13, 2001.
Dshield takes reports from various firewalls like Cisco and ipchains to IDSs like Snort and ZoneAlarm.
Other monitoring sites http://www.mynetwatchman.com http://www.incidents.org (SANS) SANS runs the Consensus Intrusion
Database, that compiles information from dshield, mywatchman, and other data sources.
Operating System Security Chroot DNS Server - Trap the name
server in a subdirectory of the file system.
Least Privilege – Normally runs as root. Change owner and group to a user with lower privileges after binding to port 53.
DNS Security Practices Hiding the BIND version. Restricting:
Query Requests Recursion Zone Transfers Notify
Sending DNS requests to the Blackhole
Security by Obscurity Stop BIND from providing a version
number. Makes it easier for Black Hats to find vulnerable servers.
Command “dig @IP# txt chaos version.bind”
In options section: version “FLCC BIND”
Restricting Query Access Allow-query – Restrict access to
who can look up information in local zones. This could be used to allow only local users to look at an internal DNS (view).
Example: allow-query { 172.19/16; };
Restricting Recursion Allow-recursion – Restrict who can
use the DNS server for recursive lookups. Leaving this open could allow a remote user to use your DNS resources.
Example: allow-recursion { 192.156.234/24; 199.29.9/24; };
Restricting Zone Transfer Allow-transfer – Restricts which
secondary DNS servers can perform zone transfers. Don’t want to give the Black Hats a road map of your site.
Example: allow-transfer { 172.20.1.2; 172.20.1.3; };
or allow-transfer { none; };
Restricting Notify Allow-notify – Primary server can
send a message to the secondary to initiate a zone transfer. A third party could launch a DoS attack by causing the secondary to repeatedly query the Primary server.
Example: allow-notify { 172.20.1.1; };
Restricting Dynamic Update Allow-update – This allows the DNS
zones to be updated with new Resource Records (RR). Win2000 depends on this feature to operate. But could be used by clients to for unauthorized additions and deletions from the zone.
Example: allow-update { none; };
Blackhole The blackhole command allows
you to ignore any DNS requests or commands from a single IP, or a list of IP ranges. Could also block RFC1918 reserved addresses, multicast, etc.
Example: blackhole { 172.21.0.0/16; };
Transaction Signatures (TSIG) TSIG uses a one-way hash function with
a shared key for authenticating: DNS responses and updates.
Only useful between a small number of servers.
A compromised server would expose the shared key of all the servers.
Used when IP based security is not enough.
DNS Security Extensions DNSSEC
RFC2535 Updates: RFC3008, RFC3090,
RFC3110 Available in BIND 8.2, but not fully
functional. Public Key Cryptography – Key pairs:
one public, one private.
DNS KEY Record KEY record used to publish Public
key. The KEY record can also be used
for other purposes like E-mail encryption.
Various encryption algorithms: RSA/MD5, Diffie-Hellman, DSA.
DNS SIG Record SIG (Signature) record holds the
digital signature of a RRset using the private keys.
RRset A Resource Record set is collection of
resource records with the same name, type and class.
Used with Dynamic DNS
DNS NXT Record The NXT record is sent in response
to a failed query. Provides a list of record types that
are available for the query, plus the next domain name in the list.
The list is composed of the all the domain names in the zone, sorted by dictionary order, case-insensitively.
Chain of Trust Each RRset in a secure zone has a
SIG record. Public KEY record used to verify
SIG record. Public KEY record certified by a
higher authority (.edu zone) KEY record of .edu zone certified
by root servers.
DNS and DHCP with Win2000 DNS and DHCP are the backbone
to the operation of Windows 2000. LDAP and Kerberos also play a big part to form Active Directory (AD).
Wave goodbye to WINS and browsing!!!
Windows Dynamic DNS RFC compliant DNS service. Windows relies on dynamic DNS to
operate. Win2000 Clients and Servers register with the DNS server to provide a name and corresponding IP number. They also register service (SRV) record information as needed.
SRV Records SRV records are used for locating
services. Example: _ldap._tcp.library.flcc.edu The first label specifies the ldap
service. The second label specifies the
protocol. The domain name is then listed.
SRV Records, Part 2 Static IP#s don’t have to be
assigned to the servers since they will be dynamically registered in the zone.
Problem, some network devices can only use static IP numbers for connecting to the servers.
Sample of Library DNS Zone _ldap._tcp 600 SRV 0 100 389 dale.library. 600 SRV 0 100 389 chip.library. _kerberos._udp 600 SRV 0 100 88
dale.library. 600 SRV 0 100 88 chip.library. chip 900 A 172.21.4.7 dale 900 A 172.21.4.9 library1 900 A 172.21.4.10 library10 900 A 172.21.4.14
Windows DHCP Security Windows has supports several
features for security of DNS and DHCP.
Windows 2000 DHCP servers can not hand out IP’s without first being registered with the local AD server.
Can also detect and log the IP of rogue DHCP servers.
Windows Dynamic Update During the DHCP process, the
Win2000 client will send the DHCP server a DHCPREQUEST packet with FQDN option.
The FQDN option has several flags that indicate if the client will register with the DNS server, or if the DHCP server should do it.
Registering with DDNS If the Windows 2000 client
performs the registration with the Dynamic DNS server. It will check to see if there is an address record registered for the domain name or an alias.
If no to both, it will send a dynamic update to the DDNS server.
Non-Win2000 Client Updates Clients that are not running
Windows 2000 like: Win98/98, NT, Linux, Mac’s; will not send the FQDN option.
If the DHCP server is configured to perform the dynamic update, it will automatically do so for the client.
Statically Configured Win2000 Windows 2000 clients that are
statically configured with an IP address will still dynamically update the DNS server.
Every 24 hours, or after a reboot. The Win2000 clients (and servers) will attempt to register their A, PTR, and other Resource Records.
Secure Dynamic Update Normal dynamic DNS updates are
open for abuse. Microsoft offers a secure update
service which uses a GSS algorithm for TSIG (an IETF Internet-Draft).
Uses Kerberos for authentication. Won’t work with non-Win200 clients.
Stale DNS Records Over time, dynamic DNS entries
will be left behind in the zones. Clients and DHCP servers are
suppose to remove their Resource Records automatically.
But if clients are not shut down properly, or if the network is disrupted…