Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

Published byDorthy Griffin Modified over 8 years ago

Similar presentations

Presentation on theme: "Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for."— Presentation transcript:

1 Secured Dynamic Updates

2 Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for this BIND 9.2 can perform most of the dynamic update features

3 Outline Dynamic Update Basics Setting Up A Dynamic Zone Tools Securing It Authorization Configuration Playing with Update Commands Interactions with DHCP

4 Getting Data Into DNS Network Database Primary NS $origin z. @ soa ns ro ns ns1. ns a 1.1.1.1 Zone File Secondary NS AXFR Dynamic Update

5 Advantages of Dynamic Updates Change DNS data quickly Make changes from anywhere No need to reload whole zone Data becomes more current

6 Uses of Dynamic Update Adding a new delegation to a large zone –Cut down on reload times Conference attendees –Laptops can use same name, new IP

7 Risks of Dynamic Update Authoritative servers listen to the network for data Authorization checks needed before accepting a request Server risks being tied up with updates Dynamic zones are hard to edit via "the old ways"

8 Other Considerations Once a zone goes dynamic, it is hard to edit Mixing dynamic data and critical static data is a bad idea, even neglecting security concerns This isn't meant to scare you from dynamic update, but to alert you

9 "Secure" Dynamic Update Secure refers to the safety of the update requests –Only the right clients will be able to get data into the zone Limitations on the term "secure" –Won't stop anyone issuing bad requests –Doesn't address DNSSEC, adding digital signatures to the zone

10 Tools In order to do any of this, we need tools (software) All are part of a BIND 9 distribution –named - the server, concentrating on conf file –dig - a query/response tool –nsupdate - issues dynamic update messages –rndc - remote name server daemon control –dnssec-keygen - makes the keys needed

11 A static zone zone "myzone.example." { type master; file "myzone.example."; allow-transfer { any; }; };

12 Adding a dynamic zone zone "myzone.example." { type master; file "myzone.example."; allow-transfer { any; }; }; zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { any; }; allow-update { any; }; }; //note: on-line slide is different

13 dynamic.myzone.example > cat db.dynamic.myzone.example $ORIGIN dynamic.myzone.example. $TTL 1d ; 1 day @ IN SOA ns1root( 1 ; serial 30m ; refresh (30 minutes) 15m ;retry (15 minutes) 19h ;expire (19h12m) 18min;minimum (18min) ) NS ns1.myzone.example

14 Journal Files Once a dynamic zone begins running –A journal file (.jnl) is created when the first dynamic update has been made –This binary, non-text file maintains all updates in recent times –Updates aren't immediately reflected in the original, but they are eventually –Journal entries are written to the zone file at server shutdown (and on demand)

15 dig Basic debugging aid dig @server domain.name type Used to verify that change has been made Used to verify that SOA number increments

16 dig examples > dig @127.0.0.1 version.bind chaos txt > dig @127.0.0.1 myzone.example. soa +multiline > dig @127.0.0.1 dynamic.myzone.example. soa

17 nsupdate Generates updates based upon user input Used to make requested updates

18 nsupdate example % nsupdate > server 127.0.0.1 > zone dynamic.myzone.example. > update add alu.dynamic.myzone.example. 600 A192.168.160.1 > update add dynamic.myzone.example. 600 MX 10 alu > send > quit Just to check our work... % dig @127.0.0.1 alu.dynamic.myzone.example. A % dig @127.0.0.1 dynamic.myzone.example. MX

19 rndc "Remote" management of server, usually across 127.0.0.1 Used to stop, reload server Used to freeze and unfreeze dynamic zone { available in BIND 9.3 }

20 rndc examples % rndc -c rndc.conf status % rndc -c rndc.conf reload % rndc -c rndc.conf freeze dynamic.myzone.example % rndc -c rndc.conf unfreeze dynamic.myzone.example % rndc -c rndc.conf stop NOTE: "freeze" and "unfreeze" are introduced in BIND 9.3

21 dnssec-keygen Simple tool to generate keys Used for DNSSEC too Used here to generate TSIG keys Used also to generate SIG(0) keys - in version 9.3

22 dnssec-keygen tsig example % dnssec-keygen -a HMAC-MD5 -b 128 -n host sample.tsig.key Ksample.tsig.key.+157+02308 % ls Ksample* Ksample.tsig.key.+157+02308.key Ksample.tsig.key.+157+02308.private

23 dnssec-keygen sig(0) example % dnssec-keygen -a RSA -b 512 -n host sample.tsig.key Ksample.tsig.key.+001+18681 % ls Ksam* Ksample.tsig.key.+001+18681.key Ksample.tsig.key.+157+02308.key Ksample.tsig.key.+001+18681.private Ksample.tsig.key.+157+02308.private

24 "Secured" Dynamic Update Limited to the security of the requests Dynamic Updates to a DNSSEC zone is a work in progress Two steps –Identify and authenticate the updater –Determine if updater is authorized

25 Steps Create a separate zone for dynamic updates –(Done) Configure keys Configure policy

26 Configuring Keys Two styles –TSIG - shared secret –SIG (0) - public key TSIG –works in 9.2, secret needed in named.conf (or “include”) and in client SIG(0) –needs 9.3, public key listed in the zone file (not in named.conf) and private key in client

27 TSIG keys Issue: Naming the key –Name is arbitrary, but must be consistent between the named.conf and client –There is an advantage to making it the same as a domain in the zone To test the keys, turn on key-based authorization of AXFR - just for testing

28 Making TSIG keys dnssec-keygen -a HMAC-MD5 -b 128 -n host \ slave1.dynamic.myzone.example. dnssec-keygen -a HMAC-MD5 -b 128 -n host \ slave2.dynamic.myzone.example. ls: Kslave1.dynamic.myzone.example.+157+42488.key Kslave1.dynamic.myzone.example.+157+42488.private Kslave2.dynamic.myzone.example.+157+57806.key Kslave2.dynamic.myzone.example.+157+57806.private

29 Adding TSIG to named.conf key “slave1.dynamic.myzone.example." { algorithm HMAC-MD5; secret "sd7qi6tiw+N5fK3mGNDNJU9TwIju+1ye7r2shgfkxIg="; }; key “slave2.dynamic.myzone.example." { algorithm HMAC-MD5; secret "KXMoZHZIIxVsxKp4aUp6YTy3EswUN9CeDEpneJDOgVM= "; };

30 Configuring TSIG AXFR Just so we can see that the keys work zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { key slave1.dynamic.myzone.example.; key slave2.dynamic.myzone.example.; }; allow-update { 127.0.0.1; }; };

31 Testing with dig Fails: % dig @127.0.0.1 dynamic.myzone.example. axfr Succeeds: % dig @127.0.0.1 dynamic.myzone.example. axfr -y slave1.dynamic.myzone.example.:KXMoZHZIIxVsxKp4aU p6YTy3EswUN9CeDEpneJDOgVM= This shows that the TSIG key is properly configured in named.conf

32 Key based dynamic updates (TSIG) zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { key slave1.dynamic.myzone.example.; key slave2.dynamic.myzone.example.; }; allow-update { key user1.dynamic.myzone.example.; key user2.dynamic.myzone.example.; };

33 "Keying" nsupdate The next three slides show different ways to add key information to nsupdate –first hides key from "ps -aux" by entering it interactively –second hides it by referencing the file it is in –last puts the secret on the command line

34 Keyed nsupdate #1 % nsupdate > zone dynamic.myzone.example. > server 127.0.0.1 > key user1.dynamic.myzone.example. sd7qi6tiw+N5fK3mGNDNJU9TwIju+1ye7r2shgfkxIg= > update add puri.dynamic.myzone.example. 600 A 192.168.50.1 > send % dig @127.0.0.1 puri.dynamic.myzone.example A

35 Keyed nsupdate #2 % nsupdate -k Kuser1.dynamic.myzone.example.+157+57806. > zone dynamic.myzone.example. > server 127.0.0.1 > update add alu.dynamic.myzone.example. 900 A 192.168.50.2 > Send % dig @127.0.0.1 alu.dynamic.myzone.example A

36 Keyed nsupdate #3 % nsupdate -y Kuser1.dynamic.myzone.example.:sd7qi6tiw+N5fK3mGNDNJU 9TwIju+1ye7r2shgfkxIg= > zone dynamic.myzone.example. > server 127.0.0.1 > update add palak.dynamic.myzone.example. A 90 192.168.50.2 > send % dig @127.0.0.1 palak.dynamic.myzone.example. A

37 Interaction with DHCP See the following URL for in-depth information –http://ops.ietf.org/dns/dynupd/secure- ddns-howto.htmlhttp://ops.ietf.org/dns/dynupd/secure- ddns-howto.html

38 How DHCP and DynUp Look Mirchi.net. 32.7.275.in-addr.arpa. leases for 275.7.32.0-127 DNS DHCP apnic16.apnic.net 32.43.320.in-addr.arpa. leases for 320.43.32.0-127 DNS DHCP Home @APNIC 16 chawla.mirchi.net

39 How This Happens, part 1 Host has a TSIG/SIG(0) to update the entry chawla.mirchi.net. A 275.7.32.17 Home DHCP can change 32.7.275.in- addr.arpa. (via TSIG/SIG(0)) 17.32.7.275.in-addr.arpa PTR chawla.mirchi.net. APNIC16 DHCP can change 32.43.320.in- addr.arpa. 17.32.43.320.in-addr.arpa PTR chawla.mirchi.net.

40 At Lease Change Time When releasing home address –Home DHCP removes the PTR record –Host alters/removes its A RR –Done via scripts (depends on DHCP software) When gaining APNIC 16 lease –APNIC 16 DHCP adds a PTR record –Host registers an A RR with the home server

41 Questions?

Download ppt "Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for."

Similar presentations

ITR3 lecture 9: DNS, mail, rsync Thomas Krichel 2002-11-05.

ITR3 lecture 9: DNS, mail, rsync Thomas Krichel
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.

School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
Web Server Administration

Web Server Administration
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Web Server Administration Chapter 4 Name Resolution.

Web Server Administration Chapter 4 Name Resolution.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.

DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.
DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.

DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.

DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Chapter 4 - Lab DNS Configuration in Linux.  DNS Configuration in Linux Projects 4-1 through 4-3 Projects 4-4 deals with multiple domains  DNS Configuration.

Chapter 4 - Lab DNS Configuration in Linux.  DNS Configuration in Linux Projects 4-1 through 4-3 Projects 4-4 deals with multiple domains  DNS Configuration.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.

Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
DNS & DHCP in the 21st Century William D. Kramp Network Administrator Finger Lakes Community College.

DNS & DHCP in the 21st Century William D. Kramp Network Administrator Finger Lakes Community College.

Similar presentations

Ads by Google