Advanced Module 3 Stealth Configurations.

Slides:



Advertisements
Similar presentations
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Advertisements

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
The Domain Name System Unix System Administration Download PowerPoint Presentation.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
DOMAIN NAMING SYSTEM (AN OVERVIEW) By -DEEPAK. Topics --DNS What is DNS? Purpose of DNS DNS configuration files.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
DNS Domain Name Service References: Wikipedia 1.
Domain Name Services Oakton Community College CIS 238.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
Module 3 DNS Types.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
New SA Training Topic 7: DNS and DHCP To implement the underlying basis for our organizations networking, we rely on two fundamental services  DNS – the.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Windows Server 2008 R2 Domain Name System Chapter 5.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf.
Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Module 2 Zone Files. Objective Understand the idea of a zone and how it relates to a domain name understand zone file structure Understand the major Resource.
Application Services COM211 Communications and Networks CDA College Theodoros Christophides
Configuring Name Resolution and Additional Services Lesson 12.
Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.
1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.
© F5 Networks, Inc. 1 How Does DNS Work? A user browses to A user browses to
CIS 192B – Lesson 2 Domain Name System. CIS 192B – Lesson 2 Types of Services Infrastructure –DHCP, DNS, NIS, AD, TIME Intranet –SSH, NFS, SAMBA Internet.
Linux Operations and Administration
Sample DNS configurations. Example 1: Master 'master' DNS and is authoritative for this zone for example.com provides 'caching' services for all other.
DNS/Proxy Babu Ram Dawadi. Introduction - DNS Domain Name Server Domain Name Server –programs that store information about the domain name space –largest.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
DNS - BIND9 Přednášející Vaše jméno. Master and caching name server options { directory "/var/named"; allow-transfer {“none”;}; }; zone "." { type hint;
Web Server Administration Chapter 4 Name Resolution.
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
WHAT IS DNS??????????.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
1 Internet Service DNS & BIND OPS335 Seneca College of Applied Technology.
DNS Domain name server a server to translate IP aliases to addresses
Module 3: Enabling Access to Internet Resources
IMPLEMENTING NAME RESOLUTION USING DNS
DNS and Bind Presenter David Wood
DNS RPZ Intro RPZ Overview Lecturer: Ron Aitchison
Presentation transcript:

Advanced Module 3 Stealth Configurations

DNS Stealth Configurations Stealth (aka DMZ, Split) Definition: Public and Private Resources (IP addresses and services) Separation of Public and Private Protection of DNS Zone files

DNS - Stealth Configuration

DNS Stealth Configurations Same Domain Name - Public and Private zone files Hidden Master Slave Only Configuration Secure Zone Transfers from Hidden Master Private Clients want to query Non-standard ports (ZT and Query) Use of BIND9's view clause NAT Gateway?

DNS - Hidden Master

DNS - Hidden Master A Registered domain needs two or more Name Servers Resolver start (1) with Root/TLD and use referrals (delgation) Referrals (2) always go back to the Resolver Slaves (3) respond Authoritatively Zone Transfers (4) - use IP/Crypto controls with Non-standard ports Master only visible to slaves

DNS - Stealth Configuration

DNS - Internal Resolver Public Servers (1) are slaves - only use Public zone files Master (2) uses non-standard port Zone Transfer with crypto (TSIG) Private DNS (3) has only private zone files Users need Recursive queries for normal web access Public (Recursive) Queries (4) go thru firewall/NAT

DNS - Stealth Configuration options { ... // Private DNS (3) recursion yes; allow-recursion {172.18/16;}; // cache access }; // required zone for recursive queries // transactions will pass through a classic firewall zone "." { type hint; file "root.servers"; // zone clause - master for example.com zone "example.com" in{ type master; file “private/example.com”; // required local host domain // localhost reverse map // reverse map for local address at example.com // uses 192.168.254.0 for illustration

DNS - Stealth Configuration options { ... // Public DNS (1) recursion no; }; // zone clause - master for example.com zone "example.com" in{ type master; file “public/example.com”; // localhost/reverse localhost // maybe

DNS - Stealth Configuration

DNS - External Resolver Public Servers (1) are slaves - only use Public zone files but also provides Recursive service to Private Clients Master (2) uses non-standard port Zone Transfer with crypto (TSIG) Private DNS (3) has only private zone files Users need Recursive queries for normal web access Public (Recursive) Queries (4) use a Forwarding DNS (with non-std port) to DNS (1)

DNS - Stealth Configuration options { ... // Private DNS (3) recursion no; }; // required zone for recursive queries // uses stealth port 2053 zone "." { type forward; forward only; forwarders {192.168.2.3 port 2053; 192.268.2.4 port 2053}; // zone clause - master for example.com zone "example.com" in{ type master; file “private/example.com”; // required local host domain // localhost reverse map // reverse map for local address at example.com // uses 192.168.254.0 for illustration

DNS - Stealth Configuration options { ... // Public DNS (1) recursion yes; allow-recursion(10.0.0.3;}; // private forward DNS listen-on port 53 {192.168.2.3;}; listen-on port 2053 {192.168.2.3;}; }; // zone clause - master for example.com zone "example.com" in{ type master; file “public/example.com”; // normal hints zone zone "." { type hint; file "root.servers"; // localhost/reverse localhost // maybe

DNS - Using View Clause A single DNS can be configured to support both Private and Public capabilities Maintains two logically separate views Clients can connect to private or public services Does not need Firewall (?) Vulnerable if filesystem compromise Uses: match-clients {ip list;); Match-destinations {ip list;); match-recursion-only {ip list;);

DNS - Bind9 View

DNS - Using View Clause DNS Server (1) has public and Private views Hidden Master (2) Clients access Private side only for Authoritative (3) and Recursive (4) queries Private side issues Public (5) (Recursive queries) Server's Public view only answers public queries

DNS - using View Clause view “private” { options { // Public/Private DNS (1) ... recursion no; }; view “private” { match-clients {localnets;localhost;}; recursion yes; allow-recursion {localnets;localhost;}; // zone is private zone “example.com” { type master; file “private/example.com”; // zone files for hints, localhost, local reverse map view “public” { match-clients {any;}; zone "example.com" in{ type slave; file “public/example.com”; // zone files for localhost

DNS - Using View Clause views order is significant - match-client {any;}; in the public view is an else condition Private cache is polluted with public data Single server Can be routed through firewall or not Breaking of filesystem will allow reading of private data

DNS - Admin security Bind runs as root until it has assembled all its files - permissions can be very tight especially on included files Files: named.conf - contains sensitive information especially where private views are involved key files - always include (0600 root:wheel) zone files - only private ones log files - in shared public/private rndc - think very carefully

Quick Quiz Should a public DNS server support recursion? Must the master NS be defined when you register a domain? Name at least two statements that can be used to select view users? Does an Authoritative Server need a hints zone clause? Should key clauses ever defined in named.conf?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.