DNS Server Security / Hardening Linux OS - Fedora 14 / RHEL Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires written permission from the author. Videos and specific graphics presented are not for public distribution. 9/3/2011 1 Cyber Defense Security Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DNS Server Security / Hardening
Linux OS - Fedora 14 / RHEL
Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires
written permission from the author. Videos and specific graphics presented are not for public distribution.
Classes of Attacks: Reconnaissance attacks, Access attacks, Denial of service attacks, & Worms, Viruses, and Trojan horses
All of the following can be used to compromise your system: packet sniffers, IP weaknesses, password attacks, DoS or DDoS, man-in-the-middle attacks, application layer attacks ,trust exploitation, port redirection , virus, Trojan horse, operator error & worms
DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (1 of 3) Domain Name Service (DNS) provides IP address and Fully
Qualified Domain Name (FQDN) request information to host Type/Role: Authoritative, Recursive / Master (auth.), Slave (auth.,
load balancing & redundancy, Caching (no auth. – name to IP resolution), Forwarding (no auth.)
DHCP can dynamically populate DNS host records
Dynamic Host Control Protocol (DHCP) provides IP address, default router gateway, DNS, WINS, and other service information requested by host to enable connectivity to various internal and external resources Typically applied and configured to support organization intranet Can be implemented locally to a specific broadcast domain or
request forwarded through a relay agent Host broadcast request & responds to 1st DHCP server response
received Host leases information & requires a periodic renewal Renewal request sent to initial DHCP server via unicast, if no
response broadcast for service request
9/3/2011 Cyber Defense Security Presentation 14
Topology Structure Nodes & Zones
Root Domains, Delegation of Authority, & Start of Authority, Authority is delegated to lower levels in the hierarchy, each layer in the
hierarchy may delegate the authoritative control to the next lower level
Domains (SOA) Start of Authority for FQDN, e.g., redhat.com where one or more DNS server IP addresses are registered with Internet Corporation for Assigned Numbers and Names (ICANN)
Sub-domains – internally controlled DNS servers that segment organization resources
/etc/hosts Server types & role: primary-master; secondary-slave; & caching-
only/forwarders DNS resolution service
Iterative queries: sends FQDN and requests either IP Address of Domain or FQDN of Authoritative DNS Server (typically host’s resolver to primary DNS server and then DNS server to server exchanges until resolution or invalid)
Recursive queries - sends FQDN to DNS server and asks for IP Address of domain (similar to above)
Process: query, cache, & response FQDN IP address IP address FQDN (reverse lookup Domains) Creates dynamic entries in DNS tables
Static entries DNS records for domain services DHCP can be dynamically linked to local DNS for internal hostname
resolution
9/3/2011 Cyber Defense Security Presentation 15
DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (2 of 3)
Master) or non-authoritative (partitioned out or partial load-balancing)
Caching: non-authoritative; static or dynamic updates
Forwarding: non-authoritative
Network Topology Location Service query response service support for:
External (Internet), DMZ, Internal (Intranet), host based (Caching)
http://www.dnsbl.info/dnsbl-list.php
9/3/2011 16
DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (3 of 3)
Content Management Zones - created to distinguish domains and
catalogue host records DB file / records characteristics:
Name - TTL – Time to live (how long the record is
cached) Class - IN for Internet only record class
supported in DNS Type – Per listing below Data - content specific to record type
Record Types:
Start of Authority (SOA) - information that identifies the top of the zone and other general properties
Address (A or AAAA) IPv4/IPv6 Canonical name (CNAME) - Alias Host information (HINFO) Mail exchange (MX) - mail server Name server (NS) – DNS servers Pointer (PTR) - reverse lookup IP to
Where will the application physically reside on the local OS? Partition type, quotas, & ACLs
Manage space allocation Prevent hard links programs; facilitate precise control over mount options limits user access or influence Allow minimal privileges via mount options
Chroot Jail DNS application If service compromised, limits user rights & privileges escalation - If local user
compromised limits influence on application Function?
Runs a process with root directory other than / $ /usr/sbin/chroot /home/user_name/existing_directory Challenge is to include interdependent binaries / libraries files into the “Jail” environment Once setup, change to location and start service or application
How will you manage DNS’s local functional influence? Must manages applications ability to influence overall system functionality! SELinux (Alt. AppArmor)
DNS Service Access Control: Sample exploit http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html Access Control Lists (ACLs) TSIG Transactions – shared hashed key DNSSEC: Relies on public/private key authentication. DNSSEC
specifications (RFC 4033, RFC 4034and RFC 4035 augmented with others) answer three questions: Authentication - the DNS responding really is the DNS that the request was sent to. Integrity - the response is complete and nothing is missing or changed. Proof of non-existence - if the DNS returns a status that the name does not exist (NXDOMAIN) this response can be proven to have come from the authoritative server. RHEL # dns-keygen edit /etc/rndc.key [insert key] or RHEL/Fedora # rndc-confgen > /etc/rndc.conf; rndc status
Use DNSSEC to verify recursive DNS results Default DNS BIND configuration in RHEL 6
In /etc/named.conf will set a “trust anchor” trust the root DNSKEY managed-keys { /* not the real root key */ “.” initial-key 257 3 5 “BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEf K3clRbGaTwSJxrGkxJWoZu6I7PzJu/E9 gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9 mZhkdUpd1Vso/HAdjNe8L”; };
Testing the validating recursive DNS server # dig www.example.com +dnssec
9/3/2011 Cyber Defense Security Presentation 18
DNS Service: Security Considerations Define, Discuss, Demonstrate, & Do (2 of 3)
Authoritative Server: Configuration Overview Create a normal DNS zone file (1) Generate the zone-signing key and key-signing key (2) Add DNSKEY records for both keys to the zone file (3) Sign the zone (creates RRSIG and NSEC/NSEC3) (4) Point /etc/named.conf at the signed zone file (5) Reload the zone (6) Provide DS record for zone's KSK to your parent zone
(7)
(1) Set up DNSSEC with each signed zone having its own directory, and zone file has same name as zone /var/named/example.com/example.com would be the
zone file for the zone example.com Directory and zone file needs to be readable by group
named, have SELinux type named_zone_t
(2) Generating the ZSK and KSK Change to the zone file's directory in /var/named
# cd /var/named/example.com/
Create the zone-signing key (ZSK) # dnssec-keygen example.com
Create the key-signing key (KSK) # dnssec-keygen -fk example.com
Both dnssec-keygen commands should add the -3 option if you want to use NSEC3 records
(3) Add the keys to the zone file Each command results in two key pair files
Kexample.com+005+00000.{key,private}
Add the public key files to the zone file cat *.key >> /var/named/example.com/example.com
9/3/2011 Cyber Defense Security Presentation 19
DNS Service: Security Considerations Define, Discuss, Demonstrate, & Do (3 of 3)
(4) Manually sign the zone file Sign the zone manually:
dnssec-signzone example.com
Add -3 option if you want NSEC3 records Active keys in the zone are automatically used Creates example.com.signed file BIND 9.7 has a number of new features to support
automatic signing on dynamic update, key rotation management, and so on...see the documentation in /usr/share/doc/bind-9.7*/arm/
(5) Update zone directive and reload zone Zone directive in /etc/named.conf needs to be pointed at
the signed file zone “example.com” IN { type master; file “example.com/example.com.signed”; };
(6) Reload the zone to make changes take effect # service named reload | rndc reload
(7) Provide DS record to parent zone operator If the parent zone is DNSSEC signed and ready,
provide your zone's DS record to your registrar You can generate it from your zone file if necessary
# cd /var/named/example.com/ # dnssec-dsfromkey -f example.com
Creates dsset-example.com. file containing DS records
Consider who the DNS server will support (internal/external) Only serve DNS for those types Segregate support requirements – don’t do both in one server
instance Do not arbitrarily allow zone transfers or do recursion
Identify type of server and location Master, Slave, Caching, or Forwarding
Server setup: Install – bind, bind-utils, bind-chroot [jail application], caching-
nameserver [RHEL - install for cache server function], system-config-bind
Network interface configuration: Define & apply static IP address to interface Modify /etc/sysconfig/network-scripts/ifcfg-ethX; PEERDNS=no Modify /etc/host; place host name to IP address of resources for DNS
lookups [optional] Modify /etc/resolv.conf; insert at beginning of file nameserver 127.0.0.1
Security considerations Chroot / Jail application due to ever changing & challenging security issues
# yum install bind-chroot /var/named/chroot/etc/named.conf Copy dependent binaries & libraries into chroot directory and manage links Edit /etc/sysconfig/named directory and change it to /var/named/chroot
Modify /etc/sysconfig/named file and set ROOTDIR shell variable to /var/named/chroot, e.g., ROOTDIR=“/var/named/chroot”
Test - do inode comparison # ls /var/named/chroot/var/named # ls –ldi /var/named/chroot/var/named # ls –ldi /var/named # service named start # ls –ldi /var/named/chroot/var/named [should now reflect the
/var/named inode]
9/3/2011 Cyber Defense Security Presentation 22
DNS Server – Install, Setup, & Administration (2 of 7)
Define, Discuss, Demonstrate, & Do
More security considerations http://www.puschitz.com/SecuringLinux.shtml Modify / edit Firewall & SELinux settings: allow TCP & UDP port 53 Secure transaction exchange:
TSIGs signatures – hashed key exchange to support secure record exchange / replication Time synchronization is critical –if TSIG exchange fails check time Split Horizon server / Proxy Server place in DMZ; internal versus external name
resolution can support two different query types, not recommended
Logs /var/log/messages [assume DNS chroot] # mk /var/named/chroot/var/log # chmod 744 /var/named/chroot/var/log/bind # chown named /var/named/chroot/var/log/bind # ls –ld /var/named/chroot/var/log/bind
NTP Time services must be properly configured and secured
9/3/2011 Cyber Defense Security Presentation 23
DNS Server – Install, Setup, & Administration (3 of 7)
Server Service Init & start – # chkconfig named on; service named start Service modification – # service network [stop | start | restart ] RHEL configuration test - # service named configtest Documentation –
Populate domains with appropriate static records, e.g., name server (NS), mail server (MX), host records (A/AAAA), services records (IP and service port specific), reverse loop up record (PTR) etc.
Restart services Zones information located in /var/named
9/3/2011 Cyber Defense Security Presentation 24
DNS Server – Install, Setup, & Administration (4 of 7)
Only common references below, e.g., change below files system locations to jailed DNS file locations
Caching-Only Server yum install –y caching-nameserver # cp /etc/named.caching-nameserver.conf /etc/named.conf
Slave zone files # ls /var/named/slaves Manually pull Master file to Slave # dig –t axfr zone_name.com @servername RHEL6 /var/named not writable zone modifications /var/named/dynamic and then update
/etc/named.conf Local System Security Settings
ACL Define an ACL directive acl “local-net” { 127.0.0.1; 192.168.1.0/24; }; Place in named.conf allow-transfer { local-net; }; allow-query { local-net; };
User Access DNS files owned by application “named user” and not root! # chown root:named /etc/named/*; chown root:named /var/named/*;
DNS: Server – Install, Setup, & Administration (5 of 7)
Define, Discuss, Demonstrate, & Do
Only common references below, e.g., change below files system locations to jailed DNS file locations Modify named.conf and insert include “/etc/rndc.key”; Create key # dns-keygen
[Fedora $ /usr/sbin/dnssec-keygen –a hmac –md5 –b 512 –n HOST keyname ] $ cat Kkeyname.+243+14321.private similar as below see page 803 Create key file # vi /etc/rndc.key
key “rndckey” { algorithm hmac-md5; secret “aresrntynratbYjhjdslo863eWEDvOVCmdvfvb”; [not a real key] };
Create config file # rndc-confgen > /etc/rndc.conf Edit /etc/rndc.conf paste in key content listed above Edit named.conf & add controls { inet 127.0.0.1 port 953 allow {127.0.0.1; } keys { “rndc.key”; }; }; include “etc/rndc.key Change ownership of files
# chown root:named /etc/rndc.* # chmod 400 /etc/rndc.*; service named configtest; service named restart; rndc status # chcon –t named_conf_t rndc.key rndc.conf;
Logs /var/log/bind; /var/log/messages
9/3/2011 Cyber Defense Security Presentation 26
DNS: Server Key Exchange Setup (6 of 7)
Define, Discuss, Demonstrate, & Do [RHEL]
9/3/2011 Cyber Defense Security Presentation 27
DNS Service Security: Topology ACLs / Key Exchange (7 of 7)
Disabling unnecessary daemons that are “Listening” Locate the pid in the netstat command cat /proc/<pid>/cmdline If not full path, run which or locate to find utility rpm -qf full_path_of_daemon rpm -e package_name If difficult to remove due to dependencies: chkconfig <service> off
tcp_wrappers Even if iptables is in use, configure this just in case Set /etc/hosts.deny to ALL: ALL Many daemons compiled with support Find by using: egrep libwrap /usr/bin/* /usr/sbin/*
| sort For each program found, use its base name to set
expected access rights (if there are any)Example: smbd: 192.168.1.
Don't allow outsiders to alter the routing tables net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0
Don't pass traffic between networks or act as a router net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
verified need to run cron jobs Setup cron.allow and cron.deny Setup equivalents if you have 'at'
installed
sshd Enable only ssh2 protocol If multi-homed, consider if it needs to
listen on all addresses or just one Do not allow root logins Consider adding group permission for
logins, AllowGroups wheel
MySQL If database is used internally to
machine, make it listen on localhost Change passwords
Apache Remove all unneeded modules Use mod_security to weed out
injection attacks Set correct SE Linux Booleans to
maintain functionality and protection
9/3/2011 Cyber Defense Security Presentation 30
DNS Server – Helpful Hints for Network Settings (3 of 4)
Define, Discuss, Demonstrate, & Do SELinux
Leave enabled and in enforcing mode Does not affect daemons it doesn't know
about - unless they are started in a confined domain (note earlier suggestions for chroot changes)
Provides a behavioral model that known applications should be
following Can stop attacks before they become
complete system breaches
Use targeted policy Strict and MLS should be used only if you
need that kind of protection
Do boolean lockdown Review all booleans and set appropriately
getsebool -a Generally, to secure the machine, look at
things that are set to “on” and change to “off” if they do not apply
SELinux Boolean Lockdown # getsebool -a | grep ' on' allow_daemons_dump_core --> on allow_daemons_use_tty --> on allow_execmem --> on allow_execstack --> on allow_gadmin_exec_content --> on allow_gssd_read_tmp --> on allow_kerberos --> on allow_mounton_anydir --> on allow_postfix_local_write_mail_spool --> on allow_staff_exec_content --> on allow_sysadm_exec_content --> on allow_unconfined_exec_content --> on allow_unlabeled_packets --> on allow_user_exec_content --> on allow_xserver_execmem --> on allow_zebra_write_config --> on browser_confine_xguest --> on httpd_builtin_scripting --> on httpd_enable_cgi --> on httpd_enable_homedirs --> on httpd_tty_comm --> on httpd_unified --> on read_default_t --> on spamd_enable_home_dirs --> on user_ping --> on
9/3/2011 Cyber Defense Security Presentation 31
DNS Server – Helpful Hints for Network Settings (4 of 4)
Define, Discuss, Demonstrate, & Do Access Control
Do not allow root logins This messes up the audit system since root is a shared
account sshd and gdm have settings to disallow root login
pam_tally2 This is used to lockout an account for consecutive failed login
attempts
pam_access Used to forbid logins from certain locations, consoles, and
accounts /etc/security/access.conf controls its config
pam_time Used to forbid logins during non-business hours /etc/security/time.conf controls its config
pam_limits Used to limit maximum concurrent sessions and other user
restrictions /etc/security/limits.conf controls its config
pam_loginuid Used for all entry point daemons to set the task's loginuid
and session identifier. loginuid and session ID are inherited by all processes at fork Limit access to su command
Edit /etc/pam.d/su Uncomment the line saying require wheel to allow uid