11/18/19 1 1 DNS & DNSSEC Workshop 18-21 Nov 2019 Port Moresby, Papua New Guinea 1 2 Outline • DNS Overview – Configuration – Forward DNS and Reverse DNS – Troubleshooting • DNS Security Overview – DNS Transactions • DNSSec – DNSSEC Signing – DNSSec Key Rollover 2
50
Embed
Outline · 2019-11-17 · 1 1 DNS & DNSSEC Workshop 18-21 Nov 2019 Port Moresby, Papua New Guinea 1 2 Outline •DNS Overview ... •APNIC assists in the deployment providing technical
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
11/18/19
1
1
DNS & DNSSEC Workshop
18-21 Nov 2019Port Moresby, Papua New Guinea
1
22
Outline• DNS Overview
– Configuration– Forward DNS and Reverse DNS– Troubleshooting
• DNS Security Overview– DNS Transactions
• DNSSec– DNSSEC Signing– DNSSec Key Rollover
2
11/18/19
2
3
DNS OVERVIEWModule I:
3
44
Domain Name System• A lookup mechanism for translating objects into other
• A centrally-maintained file, distributed to all hosts on the Internet
• Issues with having just one file– Becomes huge after some time– Needs frequent copying to ALL hosts– Consistency– Always out-of-date– Name uniqueness– Single point of administration
• Requests and responses are normally sent via UDP port 53• Occasionally uses TCP port 53 for very large requests,
– e.g. zone transfer from primary to secondary
8
8
11/18/19
5
9
Root.
.org .net .com .pg
.gov.pg
example.gov.pg
.gov
.as
.tv
.aux.y.z.a
www.example.gov.pg
a.b.c.d
e.f.g.h
i.j.k.l
m.n.o.pw.x.y.z.
p.q.r.s
“Ask a.b.c.d”“Ask e.f.g.h”
“Ask i.j.k.l”
“Go to m.n.o.p”
localdns
www.example. gov.pg?“go tom.n.o.p”
www.example.gov.pg?
www.example.gov.pg?
www.example.gov.pg?
www.example. gov.pg?
Querying the DNS – It’s all about IP!
9
9
10
The DNS Tree HierarchyRoot.
net jporg com arpa pg
whois
edu
bnu
iana
www www
…
www training
ws1 ws2
gov comnet
abc
www
apnictest
www
FQDN = Fully Qualified Domain Name
10
10
11/18/19
6
11
DNS Terminologies
11
11
1212
DNS Components• A “name space”
• Servers making that name space available
• Resolvers (clients) query the servers about the name space
12
11/18/19
7
1313
Domains• Domains are “namespaces”
• Everything below .com is in the com domain• Everything below apnic.net is in the apnic.net domain and
in the net domain
13
13
14
NET Domain
APNIC.NET Domain
AU Domain
www.def.edu.au?
Root.
net org com arpa au
whois
iana
wwwwww training
ws1 ws2
edu comnet
abc
www
apnic
def
www
Domains
14
14
11/18/19
8
1515
Delegation• Administrators can create subdomains to group hosts
– According to geography, organizational affiliation or any other criterion
• An administrator of a domain can delegate responsibility for managing a subdomain to someone else– But this isn’t required
• The parent domain retains links to the delegated subdomain– The parent domain “remembers” to whom the subdomain is
delegated
15
15
1616
Zones and Delegations• Zones are “administrative spaces”
• Zone administrators are responsible for a portion of a domain’s name space
• Authority is delegated from parent to child
16
16
11/18/19
9
17
NET Domain
APNIC.NETDomain
NET Zone
TRAINING.APNIC.NET Zone
APNIC.NET Zone doesn’t include TRAINING.APNIC.NETsince it has been “delegated”
APNIC.NET Zone
Root.
net org com arpa
whois
iana
wwwwww training
ns1 ns2
apnic
Zones
17
17
1818
Name Servers• Name servers answer ‘DNS’ questions
• Several types of name servers– Authoritative servers
• master (primary)• slave (secondary)
– Caching or recursive servers• also caching forwarders
• Mixture of functions
Primary
Secondary
18
18
11/18/19
10
1919
Root Servers• The top of the DNS hierarchy
• There are 13 root name servers operated around the world[a-m].root-servers.net
• There are more than 13 physical root name servers– Each rootserver has an instance deployed via anycast
19
19
2020
Root Servers
20
http://root-servers.org/
20
11/18/19
11
2121
Root Server Deployment at APNIC• Started in 2002, APNIC is committed to establish new root
server sites in the AP region
• APNIC assists in the deployment providing technical support.
• Deployments of F, K and I-root servers in – Singapore, Hong Kong, China, Korea, Thailand, Malaysia, Indonesia,
Philippines, Fiji, Pakistan, Bangladesh, Taiwan, Cambodia, Bhutan, and Mongolia
21
21
2222
Resolver• Or “stub” resolver
• A piece of software (usually in the operating system) which formats the DNS request into UDP packets
• A stub resolver is a minimal resolver that forwards all requests to a local recursive nameserver– The IP address of the local DNS server is configured in the resolver.
• Every host needs a resolver– In Linux, it uses /etc/resolv.conf
• It is always a good idea to configure more than one nameserver
22
22
11/18/19
12
23
Recursive Nameserver• The job of the recursive nameserver is
to locate the authoritative nameserver and get back the answer
• This process is iterative – starts at the root
• Recursive servers are also usually caching servers
• Prefer a nearby cache– Minimizes latency issues– Also reduces traffic on your external links
• Must have permission to use it– Your ISP’s nameserver or your own
23
Recursive/Caching Nameserver
23
2424
Authoritative Nameserver• A nameserver that is authorised to provide an answer for a
particular domain– Can be more than one auth nameserver
• Two types based on management method:– Primary (Master) and Secondary (Slave)
• Only one primary nameserver– All changes to the zone are done in the primary
• Secondary nameserver/s will retrieve the zonefile from the primary server– Slaves poll the master periodically
• Primary server can “notify” the slaves
24
Primary
Secondary
Secondary
24
11/18/19
13
2525
Resource Records• Entries in the DNS zone file
• Components:
Resource Record FunctionLabel Name substitution for FQDNTTL Timing parameter, an expiration
limitClass IN for Internet, CH for ChaosType RR Type (A, AAAA, MX, PTR) for
different purposesRDATA Anything after the Type identifier;
Additional data
25
25
2626
Common Resource Record TypesRR Type Name FunctionsA Address record Maps domain name to IP address
www.example.com. IN A 192.168.1.1
AAAA IPv6 address record Maps domain name to an IPv6 addresswww.example.com. IN AAAA 2001:db8::1
NS Name server record Used for delegating zone to a nameserverexample.com. IN NS ns1.example.com.
PTR Pointer record Maps an IP address to a domain name1.1.168.192.in-addr.arpa. IN PTR www.example.com.
CNAME Canonical name Maps an alias to a hostnameweb IN CNAME www.example.com.
MX Mail Exchanger Defines where to deliver mail for user @ domainexample.com. IN MX 10 mail01.example.com.
IN MX 20 mail02.example.com.
26
26
11/18/19
14
2727
Example: RRs in a zone fileapnic.net. 7200 IN SOA ns.apnic.net. admin.apnic.net. (
2019111801 ; Serial
12h ; Refresh 12 hours
4h ; Retry 4 hours
4d ; Expire 4 days
2h ; Negative cache 2 hours )
apnic.net. 7200 IN NS ns.apnic.net.
apnic.net. 7200 IN NS ns.ripe.net.
www.apnic.net. 3600 IN A 192.168.0.2
www.apnic.net 3600 IN AAAA 2001:DB8::2
Label TTL Class Type Rdata
27
27
28
Places where DNS data livesChanges do not propagate instantly
Registry DB
Master
Slave server
Slave
Cache server
Not going to net if TTL>0
Might take up to ‘refresh’ to get data from master
Upload of zone data is local policy
28
28
11/18/19
15
2929
Delegating a Zone• Delegation is passing of authority for a subdomain to
another party
• Delegation is done by adding NS records– Ex: if APNIC.NET wants to delegate TRAINING.APNIC.NET
ns1.training.apnic.net. A 10.0.0.1ns2.training.apnic.net. A 10.0.0.2
Glue Record
30
30
11/18/19
16
31
Delegating training.apnic.net. from apnic.net.
ns.training.apnic.net1. Setup minimum two servers2. Create zone file with NS records3. Add all training.apnic.net data
ns.apnic.net1. Add NS records and glue2. Make sure there is no other data
from the training.apnic.net. zone in the zone file
31
31
3232
Remember ...• Deploy multiple authoritative servers to distribute load and
risk– Put your name servers apart from each other
• Use cache to reduce load to authoritative servers and response times
• SOA timers and TTL need to be tuned to the needs of the zone – For stable data, use higher numbers
32
32
11/18/19
17
3333
Performance of DNS• Server hardware requirements• OS and the DNS server running• How many DNS servers?• How many zones are expected to load?• How large are the zones?• Zone transfers• Where are the DNS servers located?• Bandwidth
33
33
3434
Performance of DNS• Are these servers multihomed?
• How many interfaces are to be enabled for listening? • How many queries are expected to receive?
• Recursion
• Dynamic updates
• DNS notifications
34
34
11/18/19
18
35
35
35
36
DNS CONFIGURATIONModule 2:
36
11/18/19
19
3737
DNS Software• DNS BIND – authoritative + recursive server
• Unbound - caching DNS resolver• NSD – authoritative only nameserver
• Microsoft DNS – provided with the Windows Server
• Knot DNS – authoritative only nameserver
• PowerDNS – data storage backends
37
37
3838
BIND• Berkeley Internet Name Domain
• The most widely-used open source DNS software on the Internet– Current stable version is Bind 9.14.7 – Bind 9.15.5 is in development
• Maintained by the Internet Systems Consortium (ISC)
38
38
11/18/19
20
3939
Where to Get BIND• Download source from the ISC website
– http://www.isc.org
• Install from your distribution’s package managerapt-get install bind9yum install bind bind-utils
• Some packages may also be required – OpenSSL is a necessary for DNSSEC
39
39
4040
Unpacking BIND9• When installing BIND from source, decompress the gzip file
tar xvfz bind-9.<version>.tar.gzcd bind-9.<version>
• What's in there?– A lot of stuff (dig, libraries, etc)– Configure scripts– Administrator's Reference Manual (ARM)
Configuring a Recursive Server• The recursive server needs to know how to reach the top of the
DNS hierarchy
• It should also stop some queries such as those for localhost (127.0.0.1)
• The following files are required to run a recursive/caching server:– named.conf– root.hints– localhost zone (db.localhost)– 0.0.127.in-addr.arpa zone (db.127.0.0.1)– ::1 IPv6 reverse zone (db.ip6)
48
48
11/18/19
25
49
Zones in a Recursive Server• Loopback name in operating
systems– Queries for this shouldn't use
recursion– Configure a file to define the
localhost zone– Localhost will map to 127.0.0.1
and ::1
zone “localhost” {type master;file db.localhost; };
• Reverse zone for the loopback– maps 127.0.0.1 (and ::1) to
localhost
zone “0.0.127.in-addr.arpa” { type master;
file db.127.0.0.1;};
49
49
5050
Zones in a Recursive Server• Reverse zone for IPv6 link-local address
zone “8.B.D.0.1.0.0.2.ip6.arpa” {type master;file db.2001.db8;};
• Built-in empty zones will be created for RFC 1918, RFC 4193, RFC 5737 and RFC 6598
50
https://tools.ietf.org/html/rfc6303
50
11/18/19
26
51
Example named.confzone "0.0.127.in-addr.arpa." {
type master;
file ”db.127";
};
zone "8.B.D.0.1.0.0.2.ip6.arpa." {
type master;
file ”db.2001.db8";
};
options {
directory "/var/named/recursive";
recursion yes;
};
zone "." {
type hint;
file "named.root";
};
zone "localhost." {
type master;
file "localhost";
};
51
51
5252
Zone Files• Contain the resource records defined in a particular zone• begins with a Start of Authority Record (SOA)
• For other servers – optimize the values based on– Frequency of changes– Required speed of propagation– Reachability of the primary server– (and many others)
54
54
11/18/19
28
5555
localhost zonefile$TTL 86400
@ IN SOA localhost. root.localhost. (
2019111801 ; serial
1800 ; refresh
900 ; retry
69120 ; expire
1080 ; negative ttl
)
NS localhost.
A 127.0.0.1
AAAA ::1
55
55
5656
0.0.127.in-addr.arpa zonefile$TTL 86400
@ IN SOA localhost. root.localhost. (2019111801 ; serial1800 ;refresh
900 ;retry69120 ;expire
1080 ;negative ttl)
NS localhost.1 PTR localhost.
56
56
11/18/19
29
5757
ip6.arpa zonefile$TTL 86400
@ IN SOA localhost. root.localhost. (2019111801 ; serial1800 ;refresh
900 ;retry69120 ;expire
1080 ;negative ttl)
NS localhost.1 PTR localhost.
57
57
5858
Assembling the files• Create a directory in /var/named/ and copy the files
# mkdir recursive# ls
0.0.127.in-addr.arpa db.localhost root.hints
• The directory name and file names will be defined in named.conf
• Now create a named.conf file in the same directory
58
58
11/18/19
30
5959
Running the server• From the directory
named -g -c named.conf
where:-c path to the configuration file-g run in the foreground
;; ANSWER SECTION:www.google.com. 156 IN A 74.125.237.115www.google.com. 156 IN A 74.125.237.113www.google.com. 156 IN A 74.125.237.116www.google.com. 156 IN A 74.125.237.114www.google.com. 156 IN A 74.125.237.112
• Short descriptions of each can be found in the Administrator's Reference Manual (ARM)
category queries { my_dns_log; };
68
68
11/18/19
35
6969
So You've Set Up A Server• What tests should be done?
• Test if the server up– Is the (right) server running?– Is the machine set up correctly?
• Test if data is being served– Has the zone loaded?– Have zone transfers happened?
69
69
7070
Checking the Configuration• To see named start, use the -g flag
– Keeps named process in the foreground– Prints some diagnostics– But does not execute logging
• When satisfied (i.e. no errors), kill the process and start without –g flag to run in the background
• Other option– % named-checkconf (check for syntax only)
70
70
11/18/19
36
7171
Is the Server Running?• Make sure the server is running
– dig @127.0.0.1 version.bind chaos txt
• This makes the name server do the simplest lookup it can -its version string
• This also confirms which version you started– Common upgrade error: running the old version
71
71
7272
Is the Server Data Correct?• Check the serial number to make sure the zone has loaded
dig @127.0.0.1 <zone> soa
• Also test changed data in case you forgot to update the serial number
• In the secondary server, this check is made to see if the zone transferred
72
72
11/18/19
37
7373
Is the Server Reachable?• If the dig tests fail, its time to test the environment (machine,
network)
ping <server machine ip address>
• This tests basic network flow, common errors– Network interface not UP– Routing to machine not correct
• Pinging locally is useful– Confirms that the IP address is correctly configured
73
73
7474
Is the Server Listening?• If the server does not respond, but machine responds to
ping– look at system log files– telnet server 53– firewall running?
• Server will run even if it can't open the network port– logs will show this– telnet opens a TCP connection, tests whether port was opened at all
74
74
11/18/19
38
7575
Using the Tools• named itself
• Dig or nslookup• host diagnostics
• packet sniffers
75
75
7676
Built in to named• named -g to retain command line
named -g -c <conf file>
• named -d <level>– sets the debug output volume– <level>'s aren't strictly defined– -d 3 is popular, -d 99 gives a lot of detail
76
76
11/18/19
39
7777
dig• domain internet groper
• best tool for testing• shows query and response syntax
• Included in the software
77
77
7878
FlagsFlags Meaning
AA Authoritative answerRD Recursion desiredRA Recursion AvailableAD Authenticated Data (DNSSEC
only)CD
Status Response Code0 - NOERR No error1 - FORMERR Format error2 - SERVFAIL Nameserver unreachable3 - NXDOMAIN Domain name not existing4 - NOTIMPL Not implemented5 - REFUSED Request refused
78
78
11/18/19
40
7979
Non-BIND Tools• Tools to make sure the environment is right
– Tools to look at server machine– Tools to test network– Tools to see what messages are on the network
79
79
8080
ifconfig• Interface configuration
ifconfig -a
• An operating system utility that shows the status of interfaces
• Warning, during boot up, ifconfig may configure interfaces after named has started– named can't open delayed addresses
80
80
11/18/19
41
8181
ping• Checks routing, machine health
– Most useful if run from another host– Could be reason "no servers are reached"– Can be useful on local machine - to see if the interface is properly
configured
81
81
8282
traceroute• If ping fails, traceroute can help pinpoint where trouble lies
– the problem may be routing– if so - it's not named that needs fixing!– but it is important to know
82
82
11/18/19
42
8383
tcpdump and wireshark• Once confident in the environment, problems with DNS
setup may exist
• To see what is happening in the protocol, use traffic sniffers
• These tools can help debug "forwarding" of queries
83
83
8484
Address Match List• Elements:
– Individual IP addresses– Addresses or netmask pairs– Names of other ACLs– Key names
• Used for:– Restricting queries & zone xfer– Authorizing dynamic updates– Selecting interfaces to listen on– Sorting responses
84
84
11/18/19
43
8585
Notes on Address Match list• Elements must be separated by “ ; ”
• The list must be terminated with a “ ; ”• Elements of the address match list are checked
sequentially
• To negate elements of the address match list prepend them with “!”
• Use acl statement to name an address match list
• ACL must be defined before it can be used elsewhere
85
85
8686
Example: Address match lists• For network 192.168.0.0 255.255.255.0
{ 192.168.0.0/24; }
• For network plus loopback{ 192.168.0.0/24; 127.0.0.1; ::1; }
• Addresses plus key name{ 192.168.0.0/24; 127.0.0.1; example.com;}
86
86
11/18/19
44
8787
ACL Statement• Syntax:
acl <acl name> { address match list>};
• Example:
acl internal { 127.0.0.1; 192.168.0/24; };
acl dynamic-update { key dhcp.apnic.net; };
87
87
8888
Notes on ACL Statement• The ACL name need not be quoted
• There are four predefined ACLs:– any (Any IP address)– none (No IP address)– localhost (loopback, 127.0.0.1)– localnets (all networks that is directly connected to the server)
88
88
11/18/19
45
8989
Blackholeoptions {
blackhole { ACL-name or itemized list; };
};
89
89
9090
Allow-transferzone "myzone.example." {
type master;
file "myzone.example.";
allow-transfer { ACL-name or itemized list; };
};
90
90
11/18/19
46
9191
Allow-Queryzone "myzone.example." {
type master;
file "myzone.example.";
allow-query { ACL-name or itemized list; };
};
91
91
9292
Listen-onoptions {
listen-on port # { ACL-
name or itemized list;};
};
92
92
11/18/19
47
9393
Mastersmasters name { masters_list | ip_addr };
Ex:
masters nsX { 192.168.0.1; 2001:db8::1 ; };
zone “example.com” {
type slave;
masters { nsX; };
file “/link/to/db.example.com”;
};
93
93
9494
Summary• ACLs and Configuration options can be used to create
simple split DNS
• It is cumbersome and difficult to maintain
• Good operational practice suggests that ACLs and configuration options be reviewed regularly to ensure that they accurately reflect the desired behavior
94
94
11/18/19
48
9595
Views• a powerful new feature of BIND 9 that lets a name server
answer a DNS query differently depending on who is asking
• useful for implementing split DNS setup without having to run multiple servers