Weitere ähnliche Inhalte Mehr von Men and Mice (20) Kürzlich hochgeladen (20) A secure BIND 9 – best practices2. © Men & Mice http://menandmice.com
BIND 9 Security
a collection of security best practice tips from the
Men & Mice services team
• this is no exhaustive list, but a good start
• if you have an important tip we've missed in this
webinar, let us know on Twitter @menandmice
(and we will retweet)
2
3. © Men & Mice http://menandmice.com
Keep BIND 9 "up-to-date"
3
4. © Men & Mice http://menandmice.com
keeping BIND 9 up-to-date
from time to time there are security vulnerabilities
in BIND 9
• update BIND 9 via the package manager of your
Linux/Unix
• also monitor security of BIND 9 library
dependencies (openssl, libxml2)
•ISC announcement mailing list is a good source for
BIND 9 security related information
4
5. © Men & Mice http://menandmice.com
keeping BIND 9 up-to-date
Keep your BIND 9 software up-to-date
•if BIND 9 is not updated by the OS vendor (e.g.
MacOS X), use a cross-platform package manager
•pkggsrc — https://www.pkgsrc.org
•Nix — https://nixos.org/nix/
•subscribe to BIND 9 announce mailing list
(low volume, new versions and security
announcements only)
https://lists.isc.org/mailman/listinfo/bind-announce
5
6. © Men & Mice http://menandmice.com
keeping BIND 9 up-to-date
consider using a new(er) version of BIND 9
•new security features (like DNSSEC negative trust
anchors)
•newer/better crypto algorithms for DNSSEC/TSIG
•HMAC-SHA256 for TSIG
•new elliptic curves for DNSSEC signatures
•new privacy features (QNAME minimisation, DNS over
TLS … )
6
7. © Men & Mice http://menandmice.com
Separating
authoritative and recursive
DNS
7
8. © Men & Mice http://menandmice.com
Separating
authoritative and recursive DNS
authoritative DNS server and DNS resolver are separate
functions in the DNS infrastructure
•they have different security requirements
•while BIND 9 can operate in "hybrid" mode (default), it
is strongly recommended to separate the two functions
•can run on the same hardware with operating system
containers or virtualization
8
9. © Men & Mice http://menandmice,com
Functions of a DNS Server
cached data
Smart resolver
authoritative data
10. © Men & Mice http://menandmice,com
2 Functions of a DNS Server
!
!
!
!
!
!
!
!
!
authoritative DNS Server
authoritative data
Caching DNS Server
!
!
!
!
!
!
!
!
cached data
Smart resolver
11. © Men & Mice http://menandmice.com
Separating
authoritative and recursive DNS
benefits of separate authoritative and recursive DNS
•required for DNSSEC validation of own zones
•security configuration optimised for the function
(for example query ACLs)
•helps troubleshooting (logging)
•easier maintenance (Updates)
11
12. © Men & Mice http://menandmice.com
process isolation
12
13. © Men & Mice http://menandmice.com
process isolation
chroot is the classic process isolation function in
Unix operating systems
•chroot confines a process into a subtree of the
filesystem
•in a proper chroot setup, the process cannot
access files outside the chroot subtree
13
14. © Men & Mice http://menandmice.com
process isolation
/
/dev
/etc
/bin
/sbin
/usr
/var/chroot/etc
/dev
/var/named
14
full Unix filetree
view
15. © Men & Mice http://menandmice.com
process isolation
/
/dev
/etc
/bin
/sbin
/usr
/var/chroot/dev
/etc
/var/named
15
files and directories
seen by the chrooted
process
16. © Men & Mice http://menandmice.com
process isolation
chrooting BIND 9 is easy (compared with other
daemon processes or BIND 4/8:
named -t /var/named
•all files BIND 9 needs during operation must be
located inside the chroot directory
•all file references in the BIND 9 configuration file
are relative to the chroot
•this is a source of confusion for some admins
16
chroot directory
17. © Men & Mice http://menandmice.com
process isolation
shortcomings of the chroot function
• chroot was never designed as a security feature
• a real "root" user (UID 0) can find ways to break
out of the chroot
• isolation is only on the filesystem level, not on
process, environment and network level
17
18. © Men & Mice http://menandmice.com
process isolation
modern alternatives to chroot:
•GRSecurity Linux-Kernel enhanced chroot
https://grsecurity.net/features.php
•Container virtualization:
•Linux container (LXC, LXD, docker, firejail,
systemd-nspawn)
•FreeBSD "jails"
•Solaris/Illumnos "zones"
18
19. © Men & Mice http://menandmice.com
process isolation
benefits of modern alternatives
•process, environment and network isolation
•manageability
•separation of application (BIND 9 DNS server and
utilities) and data (zonefiles, configuration)
•enables quick clean rebuild after intrusion
19
20. © Men & Mice http://menandmice.com
DNSSEC
20
21. © Men & Mice http://menandmice.com
DNSSEC
classic DNS is vulnerable to a large number of attacks
on the content of DNS answers
•DNSSEC (digital signatures on DNS data) guards
against many of these attacks
•the DNS root-zone, all gTLDs and nTLDs and many
ccTLDs are DNSSEC signed
•many second level domains are also DNSSEC secured
21
22. © Men & Mice http://menandmice.com
DNSSEC
BIND 9 comes with a trust-anchor for the Internet
Root-Zone build-in
•DNSSEC validation can be enabled with just one
line of configuration:
options {
dnssec-validation auto;
};
22
23. © Men & Mice http://menandmice.com
DNSSEC
enable DNSSEC validation on a DNS resolver
•test DNSSEC validation is enabled:
# rndc validation check
DNSSEC validation is enabled (view _default)
# dig soa . @127.0.0.1 +adflag
; <<>> DiG 9.11.0 <<>> soa . @127.0.0.1 +adflag
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46337
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
23
AD = authentic
data
24. © Men & Mice http://menandmice.com
DNSSEC
consider DNSSEC signing your zones
• modern BIND 9 versions make DNSSEC signing and
management easy
•the Men & Mice DNSSEC workshop training gives you a place to
learn, test DNSSEC and build routine
• management can be automated
(dnssec-keymgr, CDS/CDNSKEY)
•never store private key material on a DNS server exposed to
the Internet!
24
25. © Men & Mice http://menandmice.com
minimal responses
25
26. © Men & Mice http://menandmice.com
minimal responses
RFC 1034 defines the additional section in a DNS
answer as "Carries RRs which may be helpful in
using the RRs in the other sections."
•in the default configuration, BIND 9 tries to be
very helpful, sending additional information ...
•... creating larger than needed DNS answer packets
•this is sometimes exploited by attackers in
distributed denial of service attacks
26
27. © Men & Mice http://menandmice.com
minimal responses
27
DNS is UDP "stateless"
communication
source IP addresses can be
spoofed
some DNS
Server on the Internet
Source IP
Address
"spoofed"
Answer is
delivered to the
owner of the
"spoofed" IP
Address
28. © Men & Mice http://menandmice.com
minimal responses
28
There are many many DNS
servers to be found in the
Internet
29. © Men & Mice http://menandmice.com
minimal responses
29
% dig @ns2.xb.nl. mx ncsc.nl
!; <<>> DiG 9.9.2-vjs287.12 <<>> @ns2.xb.nl. mx ncsc.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60070
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 10
;; WARNING: recursion requested but not available
!;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ncsc.nl. IN MX
!;; ANSWER SECTION:
ncsc.nl. 60 IN MX 20 min3.govcert.nl.
ncsc.nl. 60 IN MX 20 min4.govcert.nl.
ncsc.nl. 60 IN MX 30 min5.govcert.nl.
ncsc.nl. 60 IN MX 40 smtp.espritxb.nl.
ncsc.nl. 60 IN MX 10 min1.govcert.nl.
ncsc.nl. 60 IN MX 10 min2.govcert.nl.
!;; AUTHORITY SECTION:
ncsc.nl. 60 IN NS ns1.xb.nl.
ncsc.nl. 60 IN NS ns2.xb.nl.
!;; ADDITIONAL SECTION:
min1.govcert.nl. 60 IN A 193.172.9.50
min2.govcert.nl. 60 IN A 193.172.9.51
min3.govcert.nl. 60 IN A 31.161.17.13
min4.govcert.nl. 60 IN A 31.161.17.14
min5.govcert.nl. 60 IN A 217.169.231.54
smtp.espritxb.nl. 60 IN A 80.248.34.142
smtp.espritxb.nl. 60 IN A 80.248.34.141
ns1.xb.nl. 300 IN A 80.248.34.15
ns2.xb.nl. 300 IN A 212.67.179.100
!;; Query time: 39 msec
;; SERVER: 212.67.179.100#53(212.67.179.100)
;; WHEN: Fri Jan 18 13:02:08 2013
;; MSG SIZE rcvd: 362
large additional
section
30. © Men & Mice http://menandmice.com
minimal responses
configure "minimal-responses" in BIND 9
options {
minimal-responses yes;
};
BIND 9 will only return the data
required for the DNS protocol
to work
this reduces the
"ammo" available
to attackers
30
minimal responses
enabled during an attack
31. © Men & Mice http://menandmice.com
minimal "ANY"
31
32. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
Minimal ANY
•a BIND 9 server getting a query with type ANY
(QTYPE 255) will answer with all records matching
the requested domain name and class
•this can create large UDP DNS answer packets
;; QUESTION SECTION:
;menandmice.com. IN ANY
;; ANSWER SECTION:
menandmice.com. 86400 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900
menandmice.com. 3600 IN TXT "HhnTdT3K"
menandmice.com. 3600 IN TXT "MS=ms81797768"
menandmice.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com a:smtp.menandmice.is a:support.menandmice.com a:otrs.menandmice.com
a:imap2.skyrr.is a:mx.hysing.is ~all"
ns2.c.is. 84985 IN A 213.176.143.102
dns1.menandmice.com. 171385 IN A 217.151.171.7
dns2.menandmice.com. 171385 IN A 217.151.171.21
dns3.menandmice.com. 171385 IN A 45.79.153.125
[…]
;; Query time: 97 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 10:49:15 CEST 2016
;; MSG SIZE rcvd: 719
32
DNS
answer
size
33. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
Minimal ANY
•starting with BIND 9.11, BIND 9 can be configured
to only return the first entry of a matching ANY
query
•this mitigates the problem without causing (too
much) breakage of older software (qmail etc)
options {
minimal-any yes;
};
33
34. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
Minimal ANY
•same query as before with minimal-any enabled:
# dig menandmice.com any
; <<>> DiG 9.11.0b3 <<>> menandmice.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32396
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f0a6921ce7023ebc646d789357b1837a0962c60d534b251e (good)
;; QUESTION SECTION:
;menandmice.com. IN ANY
;; ANSWER SECTION:
menandmice.com. 86033 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300
604800 900
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 15 10:55:22 CEST 2016
;; MSG SIZE rcvd: 123
34
DNS answer size
123 < 719 Byte
35. © Men & Mice http://menandmice.com
Platform for BIND 9
35
36. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
OS platform to run BIND 9
•Choose an operating system you as an administrator
are most familiar with
•Linux, Solaris, OpenBSD, FreeBSD, NetBSD,
DragonflyBSD, Windows, AIX, HP-UX, Minix 3,
MacOS X
• all work well if configured correctly
•choose a version that still receives security patches
36
37. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
Minimal Installs
•choose a minimal footprint install
•no GUI
•no unnecessary software (databases, webserver, mailserver,
development tools, scripting languages)
•minimize the open sockets to the Internet
•Port 53 - DNS
•Port 22 - SSH for remote administration (no RDP, VNC or
TeamViewer)
• Port 123 - Network Time Protocol (NTP)
•Precision Time Protocol (PTP) might be an alternative
(https://en.wikipedia.org/wiki/Precision_Time_Protocol)
37
38. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
plan for recovery
•after detecting a security breach, don't put the compromised
system(s) back in business
•have a plan to rebuild your services
•configuration orchestration tools (Ansible, SaltStack,
Puppet, cfengine …) or Container management tools
(Docker) can be of great help
•only restore data from backup, no executable content (no
programs, scripts)
•peer-review scripts and configuration with a colleague/
service partner
38
39. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
Hidden Primary
•consider a hidden primary DNS setup for zone
management
39
Internet
DMZ
Internal Network
zone
transfer
server
visible to the
Internet
hidden
management
master
40. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
OS platform to run BIND 9
•monitor your DNS server for uptime and content
•AA-Flag responses for zones on authoritative
servers
•AD-Flag responses for important query answers
from a DNS resolver
•more on DNS/DNSSEC monitoring (including tools)
in an upcoming Webinar in 2016
40
41. © Men & Mice http://menandmice.com
process image hardening
41
42. © Men & Mice http://menandmice.com
process image hardening
Linux (and other modern Unix systems) program
binaries can be hardened at compile time
•unfortunately, not all distributions enable this
security feature
42
43. © Men & Mice http://menandmice.com
process image hardening
Some available features:
• RELRO
• PIE - Position Independent Executables
• ASLR - Address Space Layout Randomization
• Fortify Source - additional security checks added by the compiler
• Stack protector/StackCanary - detect and mitigate stack overflow attacks
• NX - Software/Hardware "Non-Executable" Memory tagging
•See Compiler options for creating secure DNS Server binaries (on
Linux)
https://dnsworkshop.org/roller/dnsworkshop/entry/compiler_options_for_creating_secure
43
44. © Men & Mice http://menandmice.com
process image hardening
CheckSec script:
http://www.trapkit.de/tools/checksec.html
# wget http://www.trapkit.de/tools/checksec.sh
# bash ./checksec.sh --file /usr/sbin/named
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/sbin/named
44
45. © Men & Mice http://menandmice.com
BIND 9 access control
45
46. © Men & Mice http://menandmice.com
BIND 9 access control
for a DNS resolver without zones, restrict the
networks that can use the resolver
options {
allow-query { networkblock-acl; };
};
46
47. © Men & Mice http://menandmice.com
BIND 9 access control
for a BIND 9 server running as a resolver with
authoritative zones, restrict the networks that can
use recursive queries to the resolver
options {
allow-recursion { networkblock-acl; };
};
47
48. © Men & Mice http://menandmice.com
BIND 9 access control
on an all authoritative server, disable recursion
options {
recursion no;
};
48
49. © Men & Mice http://menandmice.com
BIND 9 access control
on an authoritative server, secure zone transfer and
updates with TSIG (use tsig-keygen utility)
key "tsig-server01-server02" {
algorithm hmac-sha256;
secret "JlI8ARXJmNGWj4A4YEezpBqX1hPTYqF2sBJmAmp+uRY=";
};
server 2001:db8:100::/64 {
keys { tsig-server01-server02"; };
};
49
TSIG signs
SOA-queries,
notifies and
zone-transfer
50. © Men & Mice http://menandmice.com
local private toplevel domain
50
51. © Men & Mice http://menandmice.com
private top level domain
using a Local Private Top Level Domain for the
internal DNS namespace is a BAD IDEAtm
Examples:
•.company
•.local (collides with mDNS)
•.lan
•.work
51
52. © Men & Mice http://menandmice.com
private top level domain
Problems with private top level domains:
•not delegated from the official root — creates
delegation and lookup issues
•authenticated denial of existence from the ROOT
— DNSSEC proves that the domain is not delegated
•data leaks
•possible collisions with new official top level
domains
52
53. © Men & Mice http://menandmice.com
© ISC http://www.isc.org
Empty Zones
The root server system
sees a high number of
queries for
non-delegated TLD
queries
53
54. © Men & Mice http://menandmice.com
best practice for local namespace
if you need a private DNS namespace for internal use
•register a second level domain on the Internet
•there is now an abundance of choice thanks to the new
TLDs — even short names
•not expensive ( 9 - 50 US$/year)
•delegate the zone to a dummy (empty) zone on the
Internet (many registrars provide this "out-of-the box")
•use the domain for your internal namespace
54
55. © Men & Mice http://menandmice.com
next @ Men & Mice
55
56. © Men & Mice http://menandmice.com
Upcoming training classes
KEA-DHCP
October 13 – 14, 2016 - West Coast, USA
October 17 – 18, 2016 - East Coast, USA
November 21 – 22, 2016 - Amsterdam, The Netherlands
Two days - Hands-On class
US$ 1795
56
https://www.menandmice.com/support-training/training/kea-dhcp-training/
57. © Men & Mice http://menandmice.com
more training
•October 3 – 5, 2016 Introduction to DNS & BIND
Hands-On class Arlington (VA), USA
•October 3 – 7, 2016 Introduction & Advanced DNS
and BIND Topics Hands-on class Arlington (VA), USA
•October 5 – 7, 2016 DNSSEC Technical Workshop –
Implementation and Deployment Arlington (VA), USA
•October 10-14, 2014 "DNS und BIND / DNS
Sicherheit" (German) @ Linuxhotel, Essen, Germany
57
https://www.menandmice.com/support-training/training/
58. © Men & Mice http://menandmice.com
our next webinars
We are working on a couple new webinars for Q3/Q4
2016, dates will be announced soon
in the pipeline:
• "DNS reconnaissance" - fighting spam with DNS
monitoring data
• DNS and DNSSEC monitoring
• DNS high availability tools
https://www.menandmice.com/resources/educational-resources/webinars/
58
59. © Men & Mice http://menandmice.com
Thank you!
!
Questions? Comments?
59