Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

Slides:



Advertisements
Similar presentations
ITR3 lecture 9: DNS, mail, rsync Thomas Krichel
Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
Web Server Administration
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Web Server Administration Chapter 4 Name Resolution.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.
DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Chapter 4 - Lab DNS Configuration in Linux.  DNS Configuration in Linux Projects 4-1 through 4-3 Projects 4-4 deals with multiple domains  DNS Configuration.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
DNS & DHCP in the 21st Century William D. Kramp Network Administrator Finger Lakes Community College.
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
TCP/IP.
Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.
Domain Name Services Oakton Community College CIS 238.
Copyright line. Configuring DNS EXAM OBJECTIVES  An Introduction to Domain Name System (DNS)  Configuring a DNS Server  Creating DNS Zones  Configuring.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
DNS. Introduction What is DNS? –Hierarchy or Tree –Dot used as a separator.
Module 3 DNS Types.
DNS and Active Directory Integration
New SA Training Topic 7: DNS and DHCP To implement the underlying basis for our organizations networking, we rely on two fundamental services  DNS – the.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Chapter 17 Domain Name System
Dynamic and Secure DNS Tianyi Xing.  Establish a dynamic and secure DNS service in the mobicloud system.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.
Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf.
Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Module 2 Zone Files. Objective Understand the idea of a zone and how it relates to a domain name understand zone file structure Understand the major Resource.
1 Kyung Hee University Chapter 18 Domain Name System.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.
1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 Discussion of the new DNS generation system DNS Operations SIG APNIC 18 2nd September 2004, Fiji.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
CIS 192B – Lesson 2 Domain Name System. CIS 192B – Lesson 2 Types of Services Infrastructure –DHCP, DNS, NIS, AD, TIME Intranet –SSH, NFS, SAMBA Internet.
DNS server & Client Objectives –to learn how to setup dns servers Contents –An Introduction to DNS –How To Download and Install The BIND Packages –How.
Linux Operations and Administration
4343 X2 – Outline The Domain Name System The Web.
Web Server Administration Chapter 4 Name Resolution.
1 CMPT 471 Networking II DNS © Janice Regan,
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
2/26/2003 Lecture 4 Computer System Administration Lecture 4 Networking Startup/DNS.
Aug 2008 KRNIC of NIDA KRNIC Updates.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
WHAT IS DNS??????????.
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley Setting up an Authoritative Name Server.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNS Session 3: Configuration of Authoritative Nameservice Joe Abley AfNOG 2013, Lusaka, Zambia.
1 Internet Service DNS & BIND OPS335 Seneca College of Applied Technology.
Module 5: Resolving Host Names by Using Domain Name System (DNS)
Chapter 19 Domain Name System (DNS)
Presentation transcript:

Secured Dynamic Updates

Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for this BIND 9.2 can perform most of the dynamic update features

Outline Dynamic Update Basics Setting Up A Dynamic Zone Tools Securing It Authorization Configuration Playing with Update Commands Interactions with DHCP

Getting Data Into DNS Network Database Primary NS $origin soa ns ro ns ns1. ns a Zone File Secondary NS AXFR Dynamic Update

Advantages of Dynamic Updates Change DNS data quickly Make changes from anywhere No need to reload whole zone Data becomes more current

Uses of Dynamic Update Adding a new delegation to a large zone –Cut down on reload times Conference attendees –Laptops can use same name, new IP

Risks of Dynamic Update Authoritative servers listen to the network for data Authorization checks needed before accepting a request Server risks being tied up with updates Dynamic zones are hard to edit via "the old ways"

Other Considerations Once a zone goes dynamic, it is hard to edit Mixing dynamic data and critical static data is a bad idea, even neglecting security concerns This isn't meant to scare you from dynamic update, but to alert you

"Secure" Dynamic Update Secure refers to the safety of the update requests –Only the right clients will be able to get data into the zone Limitations on the term "secure" –Won't stop anyone issuing bad requests –Doesn't address DNSSEC, adding digital signatures to the zone

Tools In order to do any of this, we need tools (software) All are part of a BIND 9 distribution –named - the server, concentrating on conf file –dig - a query/response tool –nsupdate - issues dynamic update messages –rndc - remote name server daemon control –dnssec-keygen - makes the keys needed

A static zone zone "myzone.example." { type master; file "myzone.example."; allow-transfer { any; }; };

Adding a dynamic zone zone "myzone.example." { type master; file "myzone.example."; allow-transfer { any; }; }; zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { any; }; allow-update { any; }; }; //note: on-line slide is different

dynamic.myzone.example > cat db.dynamic.myzone.example $ORIGIN dynamic.myzone.example. $TTL 1d ; 1 IN SOA ns1root( 1 ; serial 30m ; refresh (30 minutes) 15m ;retry (15 minutes) 19h ;expire (19h12m) 18min;minimum (18min) ) NS ns1.myzone.example

Journal Files Once a dynamic zone begins running –A journal file (.jnl) is created when the first dynamic update has been made –This binary, non-text file maintains all updates in recent times –Updates aren't immediately reflected in the original, but they are eventually –Journal entries are written to the zone file at server shutdown (and on demand)

dig Basic debugging aid domain.name type Used to verify that change has been made Used to verify that SOA number increments

dig examples > version.bind chaos txt > myzone.example. soa +multiline > dynamic.myzone.example. soa

nsupdate Generates updates based upon user input Used to make requested updates

nsupdate example % nsupdate > server > zone dynamic.myzone.example. > update add alu.dynamic.myzone.example. 600 A > update add dynamic.myzone.example. 600 MX 10 alu > send > quit Just to check our work... % alu.dynamic.myzone.example. A % dynamic.myzone.example. MX

rndc "Remote" management of server, usually across Used to stop, reload server Used to freeze and unfreeze dynamic zone { available in BIND 9.3 }

rndc examples % rndc -c rndc.conf status % rndc -c rndc.conf reload % rndc -c rndc.conf freeze dynamic.myzone.example % rndc -c rndc.conf unfreeze dynamic.myzone.example % rndc -c rndc.conf stop NOTE: "freeze" and "unfreeze" are introduced in BIND 9.3

dnssec-keygen Simple tool to generate keys Used for DNSSEC too Used here to generate TSIG keys Used also to generate SIG(0) keys - in version 9.3

dnssec-keygen tsig example % dnssec-keygen -a HMAC-MD5 -b 128 -n host sample.tsig.key Ksample.tsig.key % ls Ksample* Ksample.tsig.key key Ksample.tsig.key private

dnssec-keygen sig(0) example % dnssec-keygen -a RSA -b 512 -n host sample.tsig.key Ksample.tsig.key % ls Ksam* Ksample.tsig.key key Ksample.tsig.key key Ksample.tsig.key private Ksample.tsig.key private

"Secured" Dynamic Update Limited to the security of the requests Dynamic Updates to a DNSSEC zone is a work in progress Two steps –Identify and authenticate the updater –Determine if updater is authorized

Steps Create a separate zone for dynamic updates –(Done) Configure keys Configure policy

Configuring Keys Two styles –TSIG - shared secret –SIG (0) - public key TSIG –works in 9.2, secret needed in named.conf (or “include”) and in client SIG(0) –needs 9.3, public key listed in the zone file (not in named.conf) and private key in client

TSIG keys Issue: Naming the key –Name is arbitrary, but must be consistent between the named.conf and client –There is an advantage to making it the same as a domain in the zone To test the keys, turn on key-based authorization of AXFR - just for testing

Making TSIG keys dnssec-keygen -a HMAC-MD5 -b 128 -n host \ slave1.dynamic.myzone.example. dnssec-keygen -a HMAC-MD5 -b 128 -n host \ slave2.dynamic.myzone.example. ls: Kslave1.dynamic.myzone.example key Kslave1.dynamic.myzone.example private Kslave2.dynamic.myzone.example key Kslave2.dynamic.myzone.example private

Adding TSIG to named.conf key “slave1.dynamic.myzone.example." { algorithm HMAC-MD5; secret "sd7qi6tiw+N5fK3mGNDNJU9TwIju+1ye7r2shgfkxIg="; }; key “slave2.dynamic.myzone.example." { algorithm HMAC-MD5; secret "KXMoZHZIIxVsxKp4aUp6YTy3EswUN9CeDEpneJDOgVM= "; };

Configuring TSIG AXFR Just so we can see that the keys work zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { key slave1.dynamic.myzone.example.; key slave2.dynamic.myzone.example.; }; allow-update { ; }; };

Testing with dig Fails: % dynamic.myzone.example. axfr Succeeds: % dynamic.myzone.example. axfr -y slave1.dynamic.myzone.example.:KXMoZHZIIxVsxKp4aU p6YTy3EswUN9CeDEpneJDOgVM= This shows that the TSIG key is properly configured in named.conf

Key based dynamic updates (TSIG) zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { key slave1.dynamic.myzone.example.; key slave2.dynamic.myzone.example.; }; allow-update { key user1.dynamic.myzone.example.; key user2.dynamic.myzone.example.; };

"Keying" nsupdate The next three slides show different ways to add key information to nsupdate –first hides key from "ps -aux" by entering it interactively –second hides it by referencing the file it is in –last puts the secret on the command line

Keyed nsupdate #1 % nsupdate > zone dynamic.myzone.example. > server > key user1.dynamic.myzone.example. sd7qi6tiw+N5fK3mGNDNJU9TwIju+1ye7r2shgfkxIg= > update add puri.dynamic.myzone.example. 600 A > send % puri.dynamic.myzone.example A

Keyed nsupdate #2 % nsupdate -k Kuser1.dynamic.myzone.example > zone dynamic.myzone.example. > server > update add alu.dynamic.myzone.example. 900 A > Send % alu.dynamic.myzone.example A

Keyed nsupdate #3 % nsupdate -y Kuser1.dynamic.myzone.example.:sd7qi6tiw+N5fK3mGNDNJU 9TwIju+1ye7r2shgfkxIg= > zone dynamic.myzone.example. > server > update add palak.dynamic.myzone.example. A > send % palak.dynamic.myzone.example. A

Interaction with DHCP See the following URL for in-depth information – ddns-howto.htmlhttp://ops.ietf.org/dns/dynupd/secure- ddns-howto.html

How DHCP and DynUp Look Mirchi.net in-addr.arpa. leases for DNS DHCP apnic16.apnic.net in-addr.arpa. leases for DNS DHCP 16 chawla.mirchi.net

How This Happens, part 1 Host has a TSIG/SIG(0) to update the entry chawla.mirchi.net. A Home DHCP can change in- addr.arpa. (via TSIG/SIG(0)) in-addr.arpa PTR chawla.mirchi.net. APNIC16 DHCP can change in- addr.arpa in-addr.arpa PTR chawla.mirchi.net.

At Lease Change Time When releasing home address –Home DHCP removes the PTR record –Host alters/removes its A RR –Done via scripts (depends on DHCP software) When gaining APNIC 16 lease –APNIC 16 DHCP adds a PTR record –Host registers an A RR with the home server

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.