Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Module 3 Stealth Configurations.

Published byAshley Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced Module 3 Stealth Configurations."— Presentation transcript:

1 Advanced Module 3 Stealth Configurations

2 DNS Stealth Configurations
Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and services) Separation of Public and Private Protection of DNS Zone files

3 DNS - Stealth Configuration

4 DNS Stealth Configurations
Same Domain Name - Public and Private zone files Hidden Master Slave Only Configuration Secure Zone Transfers from Hidden Master Private Clients want to query Non-standard ports (ZT and Query) Use of BIND9's view clause NAT Gateway?

5 DNS - Hidden Master

6 DNS - Hidden Master A Registered domain needs two or more Name Servers
Resolver start (1) with Root/TLD and use referrals (delgation) Referrals (2) always go back to the Resolver Slaves (3) respond Authoritatively Zone Transfers (4) - use IP/Crypto controls with Non-standard ports Master only visible to slaves

7 DNS - Stealth Configuration

8 DNS - Internal Resolver
Public Servers (1) are slaves - only use Public zone files Master (2) uses non-standard port Zone Transfer with crypto (TSIG) Private DNS (3) has only private zone files Users need Recursive queries for normal web access Public (Recursive) Queries (4) go thru firewall/NAT

9 DNS - Stealth Configuration
options { ... // Private DNS (3) recursion yes; allow-recursion {172.18/16;}; // cache access }; // required zone for recursive queries // transactions will pass through a classic firewall zone "." { type hint; file "root.servers"; // zone clause - master for example.com zone "example.com" in{ type master; file “private/example.com”; // required local host domain // localhost reverse map // reverse map for local address at example.com // uses for illustration

10 DNS - Stealth Configuration
options { ... // Public DNS (1) recursion no; }; // zone clause - master for example.com zone "example.com" in{ type master; file “public/example.com”; // localhost/reverse localhost // maybe

11 DNS - Stealth Configuration

12 DNS - External Resolver
Public Servers (1) are slaves - only use Public zone files but also provides Recursive service to Private Clients Master (2) uses non-standard port Zone Transfer with crypto (TSIG) Private DNS (3) has only private zone files Users need Recursive queries for normal web access Public (Recursive) Queries (4) use a Forwarding DNS (with non-std port) to DNS (1)

13 DNS - Stealth Configuration
options { ... // Private DNS (3) recursion no; }; // required zone for recursive queries // uses stealth port 2053 zone "." { type forward; forward only; forwarders { port 2053; port 2053}; // zone clause - master for example.com zone "example.com" in{ type master; file “private/example.com”; // required local host domain // localhost reverse map // reverse map for local address at example.com // uses for illustration

14 DNS - Stealth Configuration
options { ... // Public DNS (1) recursion yes; allow-recursion( ;}; // private forward DNS listen-on port 53 { ;}; listen-on port 2053 { ;}; }; // zone clause - master for example.com zone "example.com" in{ type master; file “public/example.com”; // normal hints zone zone "." { type hint; file "root.servers"; // localhost/reverse localhost // maybe

15 DNS - Using View Clause A single DNS can be configured to support both Private and Public capabilities Maintains two logically separate views Clients can connect to private or public services Does not need Firewall (?) Vulnerable if filesystem compromise Uses: match-clients {ip list;); Match-destinations {ip list;); match-recursion-only {ip list;);

16 DNS - Bind9 View

17 DNS - Using View Clause DNS Server (1) has public and Private views
Hidden Master (2) Clients access Private side only for Authoritative (3) and Recursive (4) queries Private side issues Public (5) (Recursive queries) Server's Public view only answers public queries

18 DNS - using View Clause view “private” {
options { // Public/Private DNS (1) ... recursion no; }; view “private” { match-clients {localnets;localhost;}; recursion yes; allow-recursion {localnets;localhost;}; // zone is private zone “example.com” { type master; file “private/example.com”; // zone files for hints, localhost, local reverse map view “public” { match-clients {any;}; zone "example.com" in{ type slave; file “public/example.com”; // zone files for localhost

19 DNS - Using View Clause views order is significant - match-client {any;}; in the public view is an else condition Private cache is polluted with public data Single server Can be routed through firewall or not Breaking of filesystem will allow reading of private data

20 DNS - Admin security Bind runs as root until it has assembled all its files - permissions can be very tight especially on included files Files: named.conf - contains sensitive information especially where private views are involved key files - always include (0600 root:wheel) zone files - only private ones log files - in shared public/private rndc - think very carefully

21 Quick Quiz Should a public DNS server support recursion?
Must the master NS be defined when you register a domain? Name at least two statements that can be used to select view users? Does an Authoritative Server need a hints zone clause? Should key clauses ever defined in named.conf?

Download ppt "Advanced Module 3 Stealth Configurations."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.

DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.

DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.

DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.

Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
The Domain Name System Unix System Administration Download PowerPoint Presentation.

The Domain Name System Unix System Administration Download PowerPoint Presentation.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
DOMAIN NAMING SYSTEM (AN OVERVIEW) By -DEEPAK. Topics --DNS What is DNS? Purpose of DNS DNS configuration files.

DOMAIN NAMING SYSTEM (AN OVERVIEW) By -DEEPAK. Topics --DNS What is DNS? Purpose of DNS DNS configuration files.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

Similar presentations

Ads by Google