Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS RPZ Intro RPZ Overview Lecturer: Ron Aitchison dns@zytrax.com.

Published bySudirman Kusuma Modified over 5 years ago

Similar presentations

Presentation on theme: "DNS RPZ Intro RPZ Overview Lecturer: Ron Aitchison dns@zytrax.com."— Presentation transcript:

1 DNS RPZ Intro RPZ Overview Lecturer: Ron Aitchison

2 Copyright Zytrax, Inc. All rights reserved.
RPZ Overview Resolver Enhancement Functionality triggered by response-policy statement in BIND configuration (named.conf) Selective Policy Triggers and Policy Actions defined in ‘standard’ zone files Zone files defined in zones clauses within BIND configuration (named.conf) Logging and response-policy as diagnostic aids RPZ Objective Override Query responses selectively (Policy Trigger) Selectively provide user defined responses to query results (white-lies) Policy Actions Copyright Zytrax, Inc. All rights reserved.

3 Copyright Zytrax, Inc. All rights reserved.
RPZ Zone File Example $TTL 2h; $ORIGIN domain.example.com. @ SOA nsd.example.net. hostmaster.example.com ( 1 12h 15m 3w 2h) NS nsd.example.net. // out-of-zone no A/AAAA RR required ; begin RPZ RR definitions ; QNAME Policy Trigger Local-Data Policy Action ; sends to a local website ; kills whole domain example.org CNAME explanation.example.com. *.example.org CNAME explanation.example.com. ; IP Policy Trigger DROP Policy Action ; any answer containing IP range ( /24) rpz-ip CNAME rpz-drop. Copyright Zytrax, Inc. All rights reserved.

4 RPZ Zone File Data Generation
Acquire and reformat existing lists (squidblacklists?) Quickest and cheapest solution Multiple categories Updated lists can be handled by selective zone reload (no restart) Single Policy Trigger (qname) with one or more Policy Actions Lists lag discovery Limited differentiation and value added Policy Triggers offer powerful (aggressive) features RPZ zones can anticipate discovery Potential collateral effects In-house effort Selective implementation Business Opportunity Zone file distribution (Master/Slave) Copyright Zytrax, Inc. All rights reserved.

5 Copyright Zytrax, Inc. All rights reserved.
RPZ User Selection Limit Options Existing lists have ~20 categories (permutations are factorial) 5 or 6 viable options or sets Multiple DNS servers Potentially expensive (multiple VMs) Configuration is entirely user change (IP Address of DNS service) Single Server using view clauses Rewrite match-clients statement on user selection (BIND restart) No user configuration change Both methods allow progressive migration Copyright Zytrax, Inc. All rights reserved.

6 Copyright Zytrax, Inc. All rights reserved.
DNS RPZ Intro BIND Configuration Copyright Zytrax, Inc. All rights reserved.

7 Copyright Zytrax, Inc. All rights reserved.
Module Objectives Introduction to BIND's configuration file named.conf Format and layout Clauses and Statements named.conf major Clauses named.conf Statements overview view Clause zone Clause logging Clause Open and Closed Resolver Configuration Copyright Zytrax, Inc. All rights reserved.

8 Copyright Zytrax, Inc. All rights reserved.
BIND Configuration named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located - BSD: /usr/local/etc/named.conf Located – Windows: C:\Program Files\ISC BIND 9\etc\named.conf Copyright Zytrax, Inc. All rights reserved.

9 Copyright Zytrax, Inc. All rights reserved.
BIND named.conf Contains 3 types of info: Comments Clauses – collections of statements Statements – individual statements within clauses Include – in-situ inclusion from separate files (used for admin/security) Copyright Zytrax, Inc. All rights reserved.

10 BIND – named.conf Comments
/* C-style comment format needs opening and closing markers ** but allows multiple lines or */ /* single lines or */ zone /* in-line comment */ in {some zone statements}; // C++-style comments have single line format, no closing required ...some statement; // comment ends this line # SHELL/PERL-style comments are single lines, no closing required some statement; # comment ends this line Copyright Zytrax, Inc. All rights reserved.

11 BIND – named.conf Clauses
ACL – Access Control Lists Controls – remote acces (rndc) Logging – controls logging features Options – global options View – allows separate configurations in same server Zone – defines the zones that are supported Key – used for security data (typically included) Copyright Zytrax, Inc. All rights reserved.

12 Copyright Zytrax, Inc. All rights reserved.
BIND - Statements Over 120 statements available Many valid in one or more clauses Some valid in only single clauses Pro DNS and BIND classifies them: Transfer Query Operations Security Copyright Zytrax, Inc. All rights reserved.

13 BIND – Typical named.conf
// change log // 1. changed by M.E. on 24th January acl "name" {... // acl clauses if present generally come first // to avoid forward references }; key "name" {... // key clauses if present must appear // before being referenced logging { // requires at least a file // statement unless using syslog // order not important with BIND 9 options { // other statements (as required) // zone clauses including 'required' zones zone { .... Copyright Zytrax, Inc. All rights reserved.

14 Copyright Zytrax, Inc. All rights reserved.
BIND – View named.conf options { // global options // other statements as required }; view "first" { // view specific statements (options) // view specific zone clauses // including required zones zone { ..... }; // end of view "first" view "second" { }; // end of view "second" Copyright Zytrax, Inc. All rights reserved.

15 Copyright Zytrax, Inc. All rights reserved.
BIND – View Clause Each view clause is matched to incoming queries using: Match-clients Match-destinations Match-recursion-only View clause order is important Tested in order in which views are defined Unmatched fall through to next view clause Copyright Zytrax, Inc. All rights reserved.

16 Copyright Zytrax, Inc. All rights reserved.
BIND – View Clause Use Mixed Local/public IPs External – public hosts Internal – local hosts Mixed services Internal caching External Authoritative RPZ – User Policy Selection Match-clients to set of RPZ zone files Split horizons different IPs to different sources Copyright Zytrax, Inc. All rights reserved.

17 BIND – view clause match statements
match-clients { address_match_element; ... }; match-clients { /8; /16;! /16; }; match-destinations { address_match_element; ... }; match-destinations { ; }; match-recursive-only (yes | no); match-recursive-only yes; Copyright Zytrax, Inc. All rights reserved.

18 Copyright Zytrax, Inc. All rights reserved.
BIND – Match combined // named.conf fragment view "recursive-external" { match-clients {! /24;}; match-recursive-only yes; // other view statements zone "example.com" in { .... }; Copyright Zytrax, Inc. All rights reserved.

19 Copyright Zytrax, Inc. All rights reserved.
BIND Logging default - syslog (*nix) or MS Events logging clause is very powerful (complex!) Single or multiple files (channels) type of output (category) severity of message Copyright Zytrax, Inc. All rights reserved.

20 Copyright Zytrax, Inc. All rights reserved.
BIND Logging Clause logging { [ channel channel_name { ( file path name [ versions ( number | unlimited ) ] [ size size_spec ] | syslog syslog_facility | stderr | null ); [ severity (critical | error | warning | notice | info | debug [ level ] | dynamic ); ] [ print-category yes | no; ] [ print-severity yes | no; ] [ print-time yes | no; ] }; ] [ category category_name { channel_name ; [ channel_name ; ... ] ... }; Copyright Zytrax, Inc. All rights reserved.

21 BIND RPZ Logging Example
// log to /var/log/named/default.log all events from // info UP in severity (no debug) // uses 3 files in rotation swaps files when size reaches 250K logging{ channel default_log{ file "/var/log/named/default.log" versions 3 size 250k; severity info; }; channel named-rpz { // change path as appropriate file "/var/named/rpz.log" versions 3 size 250k; category rpz{ named-rpz; category default{ default_log; Copyright Zytrax, Inc. All rights reserved.

22 Copyright Zytrax, Inc. All rights reserved.
BIND – zone Clause Defines the zones to be supported Authoritative zones Root-server zone (hints) RPZ Zones Special zones Loopback address (forward/reverse) Local IPs (RFC reverse map) IPv4/Ipv6 as required Copyright Zytrax, Inc. All rights reserved.

23 Copyright Zytrax, Inc. All rights reserved.
BIND – Required zones Resolver (Caching Name Server) Root-servers (hints) Loopback (forward/reverse) Local IPs (IPv4/IPv6) RPZ zones Authoritative DNS Zones supported Maybe Loopback (forward/reverse) Copyright Zytrax, Inc. All rights reserved.

24 BIND – Resolver (caching) zones
// required zone for recursive queries zone "." { type hint; file "root.servers"; }; // required local host domain zone "localhost" in{ type master; file "master.localhost"; allow-update{none;}; // localhost reverse map zone " IN-ADDR.ARPA" in{ file "localhost.rev"; // reverse map for local address at example.com // uses for illustration zone " IN-ADDR.ARPA" in{ file "view/ rev.internal"; Copyright Zytrax, Inc. All rights reserved.

25 BIND – Authoritative zones
// required zone for authoritative queries zone "example.com" { type master; // private zone files including local hosts file "master.example.com"; allow-update{none;}; }; // required local host domain zone "localhost" in{ file "master.localhost"; // localhost reverse map zone " IN-ADDR.ARPA" in{ file "localhost.rev"; Copyright Zytrax, Inc. All rights reserved.

26 Copyright Zytrax, Inc. All rights reserved.
RPZ and rndc rndc is remote management tool for BIND rndc addzone zone [class [view]] config Enabled by allow-new-zones yes; statement rndc delzone [-clean] zone [class [view]] rndc modzone zone [class [view]] config rndc reconfig Reload named.conf and add new zones but not existing zones rndc reload zone [class [view]] rndc reload Reload named.conf and all zones rndc refresh zone [class[view]] DNSSEC command Copyright Zytrax, Inc. All rights reserved.

27 Copyright Zytrax, Inc. All rights reserved.
RPZ Statements response-policy statement in-view statement Copyright Zytrax, Inc. All rights reserved.

28 Copyright Zytrax, Inc. All rights reserved.
in-view Statement in-view viewname zone clause only Allows single instance of zone file to be shared by multiple views Shared zone must be defined first (backward reference only) BIND 9.11 (latest) indicates that it cannot be used as an RPZ zone Copyright Zytrax, Inc. All rights reserved.

29 RPZ response-policy Statement
Global or view based statement Triggers RPZ functionality Essentially diagnostic Copyright Zytrax, Inc. All rights reserved.

30 RPZ response-policy Statement
response-policy { zone zone-name [ policy (given|disabled|passthru|drop|nxdomain|nodata|tcp-only| cname domain-name) [ recursive-only yes_or_no ] [ max-policy-ttl number ] ; } [ recursive-only yes_or_no ] [ max-policy-ttl number ] [ break-dnssec yes_or_no ] [ min-ns-dots number ] [ qname-wait-recurse yes_or_no ] ; # example response-policy {zone "dontlike" ; zone "likeless" policy disabled;} recursive-only yes; Copyright Zytrax, Inc. All rights reserved.

31 RPZ response-policy Statement
zone – up to 32 zones supported Parameters may be applied to zone (within braces braces) or globally (outsize zone braces) policy given – (default) use policy defined in zone file disable – disable but log (to rpz category) all policy actions passthru, nxdomain, tcp-only, drop, nodata, cname name – override all Policy Actions in zone file(s) with defined action Copyright Zytrax, Inc. All rights reserved.

32 RPZ response-policy Statement
recursive-only yes|no Yes - apply to recursive queries (from client), no – apply to all queries (Iterative and Recursive) max-policy-ttl seconds By default RPZ responses are cached for 5 seconds Statement can be used to increase to any defined value Excessive values can slow up propagation of RPZ zone file changes break-dnssec yes|no yes – applies RPZ to dnssec (signed zones), no – (default) do not apply RPZ to signed zones Copyright Zytrax, Inc. All rights reserved.

33 RPZ response-policy Statement
min-ns-dots number Defines minimum number of dots in qname before RPZ invoked (default is 1) example.com, mail.example.com will invoke RPZ by default, but com will not (min-ns-dots 0) qname-wait-recurse yes|no Can only appear in global section (not zone specific), and only applies to Qname Policy Triggers yes – (default) wait for query response then apply Policy action no – apply changes when query received (suppresses query) Copyright Zytrax, Inc. All rights reserved.

34 Copyright Zytrax, Inc. All rights reserved.
BIND – Close Resolver Open Caching DNS (Resolver) can be used in DDoS Defaults to recursion yes; Closed Caching DNS (Resolver) Limit IPs allowed to access use allow-recursion {x.x.x.x;}; From BIND 9.4 if no limits defaults to allow-query- cache {localnets;localhost;}; Implicit is not good Copyright Zytrax, Inc. All rights reserved.

35 Copyright Zytrax, Inc. All rights reserved.
BIND - OPEN Resolvers Copyright Zytrax, Inc. All rights reserved.

36 Copyright Zytrax, Inc. All rights reserved.
BIND Closed Resolver # Authoritative only # inhibit all recursion recursion no; # Any Resolver (caching) function recursion yes; // default! # use an appropriate local address scope statement # to limit recursion requests to local users allow-recursion { /24;}; // change IPs as required # OR if the DNS server's IPs and netmasks cover the whole # local network you can use: allow-recursion {"localnets";}; # OR if a personal system - hard limits on reading listen-on { ;}; // or listen-on {localhost;}; listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;}; # OR allow-recursion {"localhost";}; Copyright Zytrax, Inc. All rights reserved.

37 Copyright Zytrax, Inc. All rights reserved.
DNS RPZ Intro RPZ Exercise Lecturer: Ron Aitchison Copyright Zytrax, Inc. All rights reserved.

Download ppt "DNS RPZ Intro RPZ Overview Lecturer: Ron Aitchison dns@zytrax.com."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Web Server Administration

Web Server Administration
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Web Server Administration Chapter 4 Name Resolution.

Web Server Administration Chapter 4 Name Resolution.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.

DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.

DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.

Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
Module 3 DNS Types.

Module 3 DNS Types.
Advanced Module 3 Stealth Configurations.

Advanced Module 3 Stealth Configurations.

Similar presentations

Ads by Google