Transcript
© Men & Mice http://menandmice.com © ISC http://www.isc.org
BIND 9.11
• Catalog Zones
• new rndc functions
• dnssec-keymgr
• CDS/CDNSKEY auto generation
• Negative Trust Anchor
• DNS cookies
• Minimal “any”
2
© Men & Mice http://menandmice.com © ISC http://www.isc.org
BIND 9.11 License change•BIND 9.11 is now licensed under the Mozilla Public License (MPL) https://en.wikipedia.org/wiki/Mozilla_Public_License •previous versions of BIND 9 are licensed under ISC License (a variation of the BSD License) https://en.wikipedia.org/wiki/ISC_license
•both licenses are "Open-Source" licenses
•this change does have no impact on users of BIND 9 (including users of the Men & Mice Suite)
•it has an impact of companies that include an adapted version of BIND 9 into their product offerings
3
© Men & Mice http://menandmice.com
Catalog Zones
•catalog zones are a way to provision DNS zones
•catalog zones are an internet draft (RFC "work in progress) in the IETF https://tools.ietf.org/html/draft-muks-dnsop-dns-catalog-zones
•a "proof-of-concept" implementation for PowerDNS exists
5
© Men & Mice http://menandmice.com
Catalog Zones
•a catalog zone works like a normal DNS zone
•it contains the names and configuration metadata of zones that should exist on a secondary server
•the catalog zone is maintained on the master server
• new zones added into the catalog zone on the master are also created on the secondaries receiving the same catalog zone
6
© Men & Mice http://menandmice.com © ISC http://www.isc.org
7
Server with Master zones
Server with Slave zones
© Men & Mice http://menandmice.com © ISC http://www.isc.org
8
Catalog Zone (master) empty
Server with Master zones
Server with Slave zones
© Men & Mice http://menandmice.com © ISC http://www.isc.org
9
Catalog Zone (master) empty
Server with Master zones
Server with Slave zones
Catalog Zone (slave) empty
© Men & Mice http://menandmice.com © ISC http://www.isc.org
10
Catalog Zone (master) empty
Server with Master zones
Server with Slave zones
Catalog Zone (slave) empty
Production Zone (master) example.com
© Men & Mice http://menandmice.com © ISC http://www.isc.org
11
Catalog Zone (master) example.com
Server with Master zones
Server with Slave zones
Catalog Zone (slave) empty
Production Zone (master) example.com
new production zone added to the
catalog zone
© Men & Mice http://menandmice.com © ISC http://www.isc.org
12
Catalog Zone (master) example.com
Server with Master zones
Server with Slave zones
Catalog Zone (slave) example.com
Production Zone (master) example.com
zone transfer
© Men & Mice http://menandmice.com © ISC http://www.isc.org
13
Catalog Zone (master) example.com
Server with Master zones
Server with Slave zones
Catalog Zone (slave) example.com
Production Zone (master) example.com
production slave zone
configuration is added by
BIND
Production Zone (slave) example.com
© Men & Mice http://menandmice.com © ISC http://www.isc.org
14
Catalog Zone (master) example.com
Server with Master zones
Server with Slave zones
Catalog Zone (slave) example.com
Production Zone (master) example.com
zone transfer
Production Zone (slave) example.com
© Men & Mice http://menandmice.com
Catalog Zones
•empty catalog zone
$TTl 60@ IN SOA authoritative.example.com. hostmaster ( 1001 2h 20m 41d 1h ) IN NS authoritative.example.com. IN NS secondary01.example.com.
15
names should be resolvable via DNS for
notify to work
© Men & Mice http://menandmice.com
Catalog Zones
•BIND 9 named.conf with catalog zone on the master server
options { directory "/etc/namedb"; recursion no;};
logging {
channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; }; category xfer-in { transfer-log; }; category xfer-out { transfer-log; };};
zone "catalog.example" { type master; file "catalog.example";};
16
© Men & Mice http://menandmice.com
Catalog Zones
•start BIND 9 on the master
# named-checkconf -zzone catalog.example/IN: loaded serial 1001
# named
# rndc statusversion: BIND 9.11.0b3 <id:a23f742>running on csmobile4.example.com: Linux x86_64 4.6.5-300.fc24.x86_64 #1 SMP Thu Jul 28 01:10:12 UTC 2016 boot time: Tue, 16 Aug 2016 07:29:05 GMTlast configured: Tue, 16 Aug 2016 07:30:49 GMTconfiguration file: /etc/named.confCPUs found: 4worker threads: 4UDP listeners per interface: 3number of zones: 2 (0 automatic)debug level: 0xfers running: 0 xfers deferred: 0soa queries in progress: 0query logging is OFFrecursive clients: 0/900/1000tcp clients: 0/150server is up and running
17
© Men & Mice http://menandmice.com
Catalog Zones
• BIND 9 configuration on the secondary
options { directory "/etc/namedb"; recursion no; allow-new-zones yes; catalog-zones { zone "catalog.example" zone-directory "cat-zones" in-memory no default-masters { 172.22.1.196; }; };};
logging { channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; }; category xfer-in { transfer-log; }; category xfer-out { transfer-log; };};zone "catalog.example" { type slave; file "catalog.example"; masters { 172.22.1.196; };};
18
allow BIND 9 to
dynamically add new zones
definition of the catalog zone
directory for storing new slave zones
IP addresses of the default
masters for new slave zones
write slave zone contents to
disk
catalog zone definition
© Men & Mice http://menandmice.com
Catalog Zones
• adding the new zone to the BIND 9 server (Step 1)
# $EDITOR /etc/namedb/example.com
$ttl 1800 @ IN SOA authoritative.example.com. hostmaster 1001 2h 30m 41d 1h IN NS authoritative.example.com. IN NS secondary01.example.com.
authoritative IN A 172.22.1.196 secondary01 IN A 172.22.1.199
19
© Men & Mice http://menandmice.com
Catalog Zones
• adding the new zone to the BIND 9 server (Step 2)
# $EDITOR /etc/namedb/named.conf
options { directory "/etc/namedb"; recursion no;};
logging { channel transfer-log { file "transfer.log" size 200M versions 10; print-time yes; }; category xfer-in { transfer-log; }; category xfer-out { transfer-log; };};zone "example.com" { type master; file "example.com";};zone "catalog.example" { type master; file "catalog.example";};
20
new zone configuration
© Men & Mice http://menandmice.com
Catalog Zones
• adding the new zone to the BIND 9 server (Step 3)
# named-checkconf -z zone example.com/IN: loaded serial 1001 zone catalog.example/IN: loaded serial 1001
21
© Men & Mice http://menandmice.com
Catalog Zones
• adding the new zone to the catalog zone
# echo -n "example.com" | openssl sha1(stdin)= 0caaf24ab1a0c33440c06afe99df986365b0781f
# $EDITOR /etc/namedb/catalog.example$TTl 60@ IN SOA authoritative.example.com. hostmaster 1002 ( 2h 20m 41d 1h ) IN NS authoritative.example.com. IN NS secondary01.example.com.
0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com.
22
sha1 hash identifying the
new zone
mapping the hash to the
name of the zone
increment SOA serial
number
© Men & Mice http://menandmice.com
Catalog Zones
• BIND 9 log information shows the update of the catalog zone followed by an transfer of the new zone:
named[157]: client 172.22.1.196#60914: received notify for zone 'catalog.example'named[157]: zone catalog.example/IN: notify from 172.22.1.196#60914: serial 1002named[157]: zone catalog.example/IN: Transfer started.named[157]: catz: updating catalog zone 'catalog.example' with serial 1002named[157]: zone catalog.example/IN: transferred serial 1002named[157]: zone catalog.example/IN: sending notifies (serial 1002)named[157]: catz: adding zone 'example.com' from catalog 'catalog.example' - successnamed[157]: zone example.com/IN: Transfer started. named[157]: zone example.com/IN: transferred serial 1001named[157]: zone example.com/IN: sending notifies (serial 1001)
23
new zone is now
available on the secondary
© Men & Mice http://menandmice.com
Catalog Zones
• catalog zones can contain configuration information for the new zone (Details in the BIND 9 ARM):
$TTl 60@ IN SOA authoritative.catalog.example. hostmaster 1002 2h 20m 41d 1h IN NS authoritative.example.com. IN NS secondary01.example.com.
0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN PTR example.com.masters.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN A 172.22.1.196allow-transfer.0caaf24ab1a0c33440c06afe99df986365b0781f.zones IN APL ( 1:172.22.1.196/32 1:172.22.1.199/32 )
24
access control list for zone-transfer
definition of the zones
master server(s)
© Men & Mice http://menandmice.com
Catalog Zones
• rndc zonestatus on a zone added via catalog zone:
# rndc zonestatus example.com name: example.com type: slavefiles: cat-zones/__catz___default_catalog.example_example.com.dbserial: 1001nodes: 3last loaded: Thu, 18 Aug 2016 07:29:58 GMT next refresh: Thu, 18 Aug 2016 07:52:54 GMT expires: Mon, 26 Sep 2016 07:54:36 GMT secure: nodynamic: noreconfigurable via modzone: yes
25
zone expiry information for
slave zones
backup file
© Men & Mice http://menandmice.com © ISC http://www.isc.org
read-only rndc•a rndc control channel can be configured "read-only"
•all "destructive" rndc commands are blocked ("reload", "reconfigure", "stop", "addzone", "delzone" etc)
•multiple control channels can be configured
•each should have a unique "tsig" key for authenticationkey "rndc-key" { algorithm hmac-md5; secret "ikRtqFL52Inn+7wCE0Bb9A==";};controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; } read-only yes;};
27
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Zone provisioning with rndc•in previous BIND 9 versions, it is possible to dynamically add/remove zones to a running configuration with rndc addzone and rndc delzone
•Zone configurations added with rndc addzone can now be changed dynamically with rndc modzone
•rndc delzone can now also remove zones that are configured in named.conf# rndc delzone example.com zone 'example.com' is no longer active and will be deleted. To keep it from returning when the server is restarted, it must also be removed from named.conf.
28
© Men & Mice http://menandmice.com © ISC http://www.isc.org
rndc zonestatus
•rndc can now display detail information about a configured zone# rndc zonestatus example.com name: example.com type: master files: example.com serial: 1001 nodes: 3last loaded: Thu, 18 Aug 2016 07:25:06 GMTsecure: nodynamic: noreconfigurable via modzone: no
29
© Men & Mice http://menandmice.com © ISC http://www.isc.org
python rndc
•BIND 9.11 contains a python library to access the rndc control channel from within python programs
•python written applications can make use of rndc functions (addzone, manage keys, sign zones etc)
30
© Men & Mice http://menandmice.com © ISC http://www.isc.org
dnssec-keymgr
•dnssec-keymgr is a new tool written in Python to manage DNSSEC keys (and the key-rollover)
•the tool will read a policy file (${SYSCONFDIR}/policy.conf) and will create new ZSK/KSK based on the defined policies
•Policies can be defined global, per algorithm and per zone
•Policies can inherit settings from a global policy definition
32
© Men & Mice http://menandmice.com © ISC http://www.isc.org
dnssec-keymgr•dnssec-keymgr example policy configuration policy default-dnssec { directory "/etc/namedb/keys"; algorithm rsasha256; key-size zsk 2048; key-size ksk 2560; pre-publish zsk 1w; post-publish zsk 2w; roll-period zsk 2mo; roll-period ksk 0; coverage 364d;};zone example.com { policy default-dnssec; key-size zsk 1536;};
33
inherit the "default-dnssec" policy for the
zone
override a setting inherited from the global
policy
global policy definition
© Men & Mice http://menandmice.com © ISC http://www.isc.org
dnssec-keymgr•dnssec-keymgr is designed to be run from a cron-job
•it can be started manually:# dnssec-keymgr example.com# /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -a RSASHA256 -b 1536 example.com # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -L 3600 -fk -a RSASHA256 -b 2560 example.com # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161017081131 -D 20161031081131 Kexample.com.+008+16143 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+16143 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20161216081131 -D 20161230081131 Kexample.com.+008+45825 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+45825 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170214081131 -D 20170228081131 Kexample.com.+008+58464 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+58464 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170415081131 -D 20170429081131 Kexample.com.+008+59949 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+59949 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170614081131 -D 20170628081131 Kexample.com.+008+59589 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+59589 -L 3600 -i 604800 # /usr/local/sbin/dnssec-settime -K /etc/namedb/keys -I 20170813081131 -D 20170827081131 Kexample.com.+008+47265 # /usr/local/sbin/dnssec-keygen -q -K /etc/namedb/keys -S Kexample.com.+008+47265 -L 3600 -i 604800
34
© Men & Mice http://menandmice.com © ISC http://www.isc.org
rndc managed-keys•rndc can now be used to get information about the configured DNSSEC trust-anchor(s)
•useful to track the automatic trust anchor update (RFC 5011) for the upcoming KSK change in the root zonehttps://www.icann.org/resources/pages/ksk-rollover
•Example:# rndc managed-keys statusview: _defaultnext scheduled event: Fri, 19 Aug 2016 08:30:56 GMT name: . keyid: 19036 algorithm: RSASHA256 flags: SEP next refresh: Fri, 19 Aug 2016 08:30:56 GMT trusted since: Thu, 18 Aug 2016 08:30:53 GMT
35
© Men & Mice http://menandmice.com © ISC http://www.isc.org
DNSSEC trust-anchor telemetry
BIND 9 configured as a DNSSEC validating resolver will send specially-formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, dnssec-validation auto, or dnssec-lookaside auto
• The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key
• this gives operators of trusted DNSSEC domains feedback on which active trust-anchors are used for the domains they host
• this helps operators to decide when an old key can be removed from the DNSSEC zone
• trust-anchor-telemetry no; will disable this function
36
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Automating DNSSEC Delegation Trust Maintenance (RFC 7344)
BIND 9.11 supports the CDS and CDNSKEY resource records
BIND 9.11 can publish new DS via CDS, or new DNSKEY via CDNSKEY, whenever a new KSK is being created
parent zone operator can monitor the childzone and imports new DS and DNSKEY data from the CDS or CDNSKEY records
37
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Automating DNSSEC Delegation Trust Maintenance
38
Parent DNS
Child DNS
child.tld. IN SOA …child.tld. IN NS …child.tld. IN DNSKEY …
tld. IN SOA …tld. IN NS …tld. IN DNSKEY …
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Automating DNSSEC Delegation Trust Maintenance
39
Parent DNS
Child DNS
child.tld. IN SOA …child.tld. IN NS …child.tld. IN DNSKEY …
tld. IN SOA …tld. IN NS …tld. IN DNSKEY …
child.tld. IN DS …
child.tld. IN DS …
Updating DNSSEC Trust chain today
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Automating DNSSEC Delegation Trust Maintenance
40
Parent DNS
Child DNS
child.tld. IN SOA …child.tld. IN NS …child.tld. IN DNSKEY …
tld. IN SOA …tld. IN NS …tld. IN DNSKEY …
child.tld. IN CDS …
child.tld. IN DS …
Updating DNSSEC Trust chain with CDS / CDNSKEY
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Automating DNSSEC Delegation Trust Maintenance (RFC 7344)
dnssec-keygen and dnssec-settime now support additional timing information SYNC Publish (when to publish CDS/CDNSKEY) and SYNC Delete (when to remove CDS/CDNSKEY)# dnssec-settime -Psync +3mo /etc/namedb/keys/Kexample.com.+008+58464.key# dnssec-settime -p all /etc/namedb/keys/Kexample.com.+008+58464.key
Created: Thu Aug 18 10:11:31 2016 Publish: Fri Dec 9 09:11:31 2016 Activate: Fri Dec 16 09:11:31 2016 Revoke: UNSETInactive: Tue Feb 14 09:11:31 2017 Delete: Tue Feb 28 09:11:31 2017 SYNC Publish: Wed Nov 16 09:47:45 2016 SYNC Delete: UNSET
41
© Men & Mice http://menandmice.com © ISC http://www.isc.org
DNSSEC negative trust anchors
negative trust anchors (nta) disable DNSSEC validation for a specific domain for a certain amount of time • can be used by operators in case a misconfiguration for a remote
DNSSEC signed zone is detected. Care should be take to check that the DNSSEC validation failure is indeed a misconfiguration and not attack
• domains with an NTA are processed as if there is no trust-anchor for that domain
• NTAs are stored and are persistent across BIND 9 restarts
• BIND 9 checks the domain periodically. Once the domain starts validating again, the NTA for the domain is removed
• NTAs have a lifetime (maximum one week) and expire automatically
42
© Men & Mice http://menandmice.com © ISC http://www.isc.org
DNSSEC negative trust anchors
adding an NTA (for 60 seconds): # rndc nta -l 60 fail01.dnssec.works
Negative trust anchor added: fail01.dnssec.works/_default, expires 18-Aug-2016 13:52:19.000
# rndc nta -dump fail01.dnssec.works: expired 18-Aug-2016 13:52:19.000
# ls -l /etc/namedb/_default.nta -rw-r--r--. 1 root root 44 Aug 18 13:51 /etc/namedb/_default.nta
# cat /etc/namedb/_default.nta fail01.dnssec.works. regular 20160818115219
43
© Men & Mice http://menandmice.com © ISC http://www.isc.org
DNSSEC negative trust anchors
removing an NTA:# rndc nta -l 86400 fail02.dnssec.works Negative trust anchor added: fail02.dnssec.works/_default, expires 19-Aug-2016 13:56:22.000
# rndc nta -dump fail02.dnssec.works: expiry 19-Aug-2016 13:56:22.000
# rndc nta -r fail02.dnssec.works Negative trust anchor removed: fail02.dnssec.works/_default
# rndc nta -dump #
44
NTA for one day
NTA removed
© Men & Mice http://menandmice.com © ISC http://www.isc.org
DNS Cookies
DNS Cookies, defined in RFC 7873, create a lightweight session over UDP between a DNS client (can be a DNS resolver) and DNS server
DNS cookies
• can mitigate cache poisoning attacks
• make DNS amplification attacks harder
46
© Men & Mice http://menandmice.com © ISC http://www.isc.org
47
DNS cookie secret configured
BIND 9.11 DNS Resolver
© Men & Mice http://menandmice.com © ISC http://www.isc.org
48
DNS queryClient Cookie Hash: a56f341Server Cookie Hash: empty
BIND 9.11 DNS Resolver
© Men & Mice http://menandmice.com © ISC http://www.isc.org
49
DNS queryClient Cookie Hash: a56f341Server Cookie Hash: empty
BIND 9.11 DNS Resolver
Error Response:
BADCOOKIE includes
Server Cookie Hash b761a22
Client can cache server
cookie
© Men & Mice http://menandmice.com © ISC http://www.isc.org
50
DNS queryClient Cookie Hash: a56f341Server Cookie Hash: b761a22
BIND 9.11 DNS Resolver
© Men & Mice http://menandmice.com © ISC http://www.isc.org
51
DNS queryClient Cookie Hash: a56f341Server Cookie Hash: b761a22
BIND 9.11 DNS Resolver
NOERROR Responseincludes
Server Cookie Hash b761a22
© Men & Mice http://menandmice.com © ISC http://www.isc.org
DNS Cookies
DNS cookies are enabled in BIND 9.11 by default (including the dig tool)# dig @localhost menandmice.com; <<>> DiG 9.11.0b3 <<>> @localhost menandmice.com; (2 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6448;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 7 ;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096; COOKIE: d22bde1a43ccf88213b35b4257b59343163def237257e622 (good);; QUESTION SECTION:;menandmice.com. IN A;; ANSWER SECTION:menandmice.com. 300 IN A 72.10.32.220
52
DNS cookie
© Men & Mice http://menandmice.com © ISC http://www.isc.org
DNS Cookies
Configuration options for DNS cookies in BIND 9.11:
• require-server-cookie - (authoritative server or resolver) Require a valid server cookie before sending a full response to a UDP request from a cookie aware client. BADCOOKIE is sent if there is a bad or no existent server cookie.
• send-cookie - (resolver) If yes, then a COOKIE EDNS option is sent along with the query. If the resolver has previously talked to the server, the COOKIE returned in the previous transaction is sent.
53
© Men & Mice http://menandmice.com © ISC http://www.isc.org
DNS Cookies
Configuration options for DNS cookies in BIND 9.11:
• nocookie-udp-size - (authoritative or resolver) Sets the maximum size of UDP responses that will be sent to queries without a valid server COOKIE.
• cookie-algorithm - (authoritative or resolver) Set the algorithm to be used when generating the server cookie. One of "aes", "sha1" or "sha256".
• cookie-secret - (authoritative or resolver) If set, this is a shared secret used for generating and verifying DNS cookies within an anycast cluster. If not set, the system will generate a random secret at startup.
54
© Men & Mice http://menandmice.com © ISC http://www.isc.org
new resource record types
BIND 9 now supports the following resource record types: • OPENPGPKEY - stores PGP public keys for email-addresses
• AVC - stores metadata about applications (Cisco DNS-AS - "DNS Authoritative Source")
• TA - DNSSEC Trust Authorities
• TALINK - used by applications that maintain trust anchors for DNS validators
• NINFO - a mechanism in the DNS to publish descriptive information about the status of the zone
• RKEY - publishing arbitrary application keys that could be used to encrypt DNS resource records
• SINK - Kitchen Sink Resource Record (https://tools.ietf.org/html/draft-eastlake-kitchen-sink)
56
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Minimal ANY
•a BIND 9 server getting an query with type ANY (QTYPE 255) will answer with all records matching the requested domain name and class
•this can create large UDP DNS answer packets ;; QUESTION SECTION:;menandmice.com. IN ANY ;; ANSWER SECTION:menandmice.com. 86400 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900menandmice.com. 3600 IN TXT "HhnTdT3K" menandmice.com. 3600 IN TXT "MS=ms81797768" menandmice.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com a:smtp.menandmice.is a:support.menandmice.com a:otrs.menandmice.com a:imap2.skyrr.is a:mx.hysing.is ~all" ns2.c.is. 84985 IN A 213.176.143.102 dns1.menandmice.com. 171385 IN A 217.151.171.7 dns2.menandmice.com. 171385 IN A 217.151.171.21 dns3.menandmice.com. 171385 IN A 45.79.153.125 […];; Query time: 97 msec;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 15 10:49:15 CEST 2016 ;; MSG SIZE rcvd: 719
57
DNS answer
size
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Minimal ANY
•starting with BIND 9.11, BIND 9 can be configured to only return the first entry of an matching ANY query
•this mitigates the problem without causing (too much) breakage of older software (qmail etc)
options { minimal-any yes; };
58
© Men & Mice http://menandmice.com © ISC http://www.isc.org
Minimal ANY•same query as before with minimal-any enabled:
# dig menandmice.com any
; <<>> DiG 9.11.0b3 <<>> menandmice.com any;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32396;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096; COOKIE: f0a6921ce7023ebc646d789357b1837a0962c60d534b251e (good);; QUESTION SECTION: ;menandmice.com. IN ANY
;; ANSWER SECTION: menandmice.com. 86033 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 15 10:55:22 CEST 2016;; MSG SIZE rcvd: 123
59
DNS answer size 123 < 719 Byte
© Men & Mice http://menandmice.com © ISC http://www.isc.org
adaptive preferred glue
BIND 9.11 now fills the additional section with glue records matching the transport protocol the query was received
• query received over IPv4 - A-Record glue data is preferred
• query received over IPv6 - AAAA-Record glue data is preferred
60
© Men & Mice http://menandmice.com © ISC http://www.isc.org
nslookup resolves IPv6 AAAA
nslookup got updated (WHOOO!)
nslookup will now lookup IPv4 and IPv6 information for a hostname # nslookup> menandmice.comServer: 172.22.1.22Address: 172.22.1.22#53Non-authoritative answer:Name: menandmice.comAddress: 72.10.32.220Name: menandmice.comAddress: 2a01:7e00::f03c:91ff:fe89:ed54
61
© Men & Mice http://menandmice.com © ISC http://www.isc.org
SERVFAIL Caching
DNS answers with the return code of SERVFAIL are now cached (Default 1 sec)
This reduces the frequency of retries when a query is persistently failing, which can be a burden on recursive servers
Cache-Time for SERVFAIL answers can be configured with the servfail-ttl statement, maximum is 30 seconds
62
© Men & Mice http://menandmice.com © ISC http://www.isc.org
new mdig query tool
the new tool mdig (multi-dig) can be used to send multiple queries at once to an DNS server
answers will be printed in order of arrival
63
© Men & Mice http://menandmice.com © ISC http://www.isc.org
new mdig query tool# mdig @8.8.8.8 menandmice.com www.menandmice.com info.menandmice.com;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; QUESTION SECTION:;www.menandmice.com. IN A ;; ANSWER SECTION:www.menandmice.com. 4m59s IN A 72.10.32.220;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61756;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; QUESTION SECTION:;menandmice.com. IN A;; ANSWER SECTION:menandmice.com. 4m59s IN A 72.10.32.220;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23068;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1;; QUESTION SECTION:;info.menandmice.com. IN A ;; ANSWER SECTION:info.menandmice.com. 4m59s IN CNAME 77026.group26.sites.hubspot.net.77026.group26.sites.hubspot.net. 29m59s IN CNAME cos2mdc.hubspot.net.mdc.edgesuite.net.cos2mdc.hubspot.net.mdc.edgesuite.net. 5h57m44s IN CNAME a1711.b.akamai.net.a1711.b.akamai.net. 19s IN A 95.101.90.26a1711.b.akamai.net. 19s IN A 95.101.90.82
64
three queries
Answer for #2
Answer for #1
Answer for #3
© Men & Mice http://menandmice.com © ISC http://www.isc.org
dig switchesdig +ttlunits causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours, minutes, and seconds: # dig +ttlunits menandmice.com; <<>> DiG 9.11.0b3 <<>> +ttlunits menandmice.com;; global options: +cmd;; Got answer:[…];; ANSWER SECTION:menandmice.com. 4m54s IN A 72.10.32.220
;; AUTHORITY SECTION:menandmice.com. 20h52m59s IN NS ns2.c.is.menandmice.com. 20h52m59s IN NS dns1.menandmice.com.menandmice.com. 20h52m59s IN NS ns0.c.is.menandmice.com. 20h52m59s IN NS dns3.menandmice.com.menandmice.com. 20h52m59s IN NS ns1.c.is.menandmice.com. 20h52m59s IN NS dns2.menandmice.com.;; ADDITIONAL SECTION:dns1.menandmice.com. 21h9m22s IN A 217.151.171.7dns2.menandmice.com. 20h52m59s IN A 217.151.171.21dns3.menandmice.com. 1h29m39s IN A 45.79.153.125
65
© Men & Mice http://menandmice.com © ISC http://www.isc.org
multiple named processes
BIND 9.11 prevents the named process to start accidentally more than once
named refuses to start if
• it cannot bind to any network interface
• if the Lock-File /var/run/named/named.lock already exists
66
© Men & Mice http://menandmice.com © ISC http://www.isc.org
multiple named processes# named -g18-Aug-2016 13:31:16.929 starting BIND 9.11.0b3 <id:a23f742>18-Aug-2016 13:31:16.929 running on Linux x86_64 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 18-Aug-2016 13:31:16.929 built with '--sysconfdir=/etc/namedb'18-Aug-2016 13:31:16.929 running as: named -g18-Aug-2016 13:31:16.929 ----------------------------------------------------18-Aug-2016 13:31:16.929 BIND 9 is maintained by Internet Systems Consortium,18-Aug-2016 13:31:16.929 Inc. (ISC), a non-profit 501(c)(3) public-benefit18-Aug-2016 13:31:16.929 corporation. Support and training for BIND 9 are18-Aug-2016 13:31:16.929 available at https://www.isc.org/support18-Aug-2016 13:31:16.929 ----------------------------------------------------18-Aug-2016 13:31:16.929 adjusted limit on open files from 65536 to 104857618-Aug-2016 13:31:16.929 found 4 CPUs, using 4 worker threads18-Aug-2016 13:31:16.929 using 3 UDP listeners per interface18-Aug-2016 13:31:16.929 using up to 4096 sockets18-Aug-2016 13:31:16.938 loading configuration from '/etc/namedb/named.conf'18-Aug-2016 13:31:16.939 reading built-in trusted keys from file '/etc/namedb/bind.keys' 18-Aug-2016 13:31:16.939 using default UDP/IPv4 port range: [32768, 60999]18-Aug-2016 13:31:16.939 using default UDP/IPv6 port range: [32768, 60999]18-Aug-2016 13:31:16.941 listening on IPv6 interfaces, port 5318-Aug-2016 13:31:16.948 binding TCP socket: address in use18-Aug-2016 13:31:16.948 listening on IPv4 interface lo, 127.0.0.1#5318-Aug-2016 13:31:16.949 binding TCP socket: address in use18-Aug-2016 13:31:16.949 listening on IPv4 interface mv-p3p1, 172.22.1.129#5318-Aug-2016 13:31:16.950 binding TCP socket: address in use18-Aug-2016 13:31:16.950 unable to listen on any configured interfaces18-Aug-2016 13:31:16.950 loading configuration: failure18-Aug-2016 13:31:16.950 exiting (due to fatal error)
67
© Men & Mice http://menandmice.com © ISC http://www.isc.org
more changes
The BIND 9.11 change log file has additional information on all the changes http://ftp.isc.org/isc/bind9/9.11.0b3/RELEASE-NOTES-bind-9.11.0b3.txt
68
© Men & Mice http://menandmice.com
Upcoming training classes
KEA-DHCP
October 13 – 14, 2016 - West Coast, USA
October 17 – 18, 2016 - East Coast, USA
November 21 – 22, 2016 - Amsterdam, The Netherlands
Two days - Hands-On training
US$ 1795
69
https://www.menandmice.com/support-training/training/kea-dhcp-training/
© Men & Mice http://menandmice.com
more training
•October 3 – 5, 2016 Introduction to DNS & BIND Hands-On class Arlington (VA), USA
•October 3 – 7, 2016 Introduction & Advanced DNS and BIND Topics Hands-on class Arlington (VA), USA
•October 5 – 7, 2016 DNSSEC Technical Workshop – Implementation and Deployment Arlington (VA), USA
•October 10-14, 2014 "DNS und BIND / DNS Sicherheit" (German) @ Linuxhotel, Essen, Germany
70
https://www.menandmice.com/support-training/training/
© Men & Mice http://menandmice.com
our next webinar A secure BIND 9 – best practices
When operating a DNS server, a secure configuration is paramount. BIND 9 experts from the Men & Mice team will answer questions about BIND 9 security.
Learn more on:
• “chroot” vs. “container”
• separating resolving and authoritative services for security
• BIND 9 configuration hardening
• monitoring BIND 9 for security issues
August 31st, 2016 4:00pm CEST/ 2:00pm GMT/ 10:00am EDT/ 7:00am PDT
71
https://www.menandmice.com/resources/educational-resources/webinars/a-secure-bind-9-best-practices/
top related