Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

A secure BIND 9 – best practices

8.984 Aufrufe

Veröffentlicht am

It goes without saying that DNS is only as secure as its servers. To ensure the successful and secure operation of a DNS server, secure configuration is paramount.

Topics of discussion include:

-“chroot” vs. “container”
- separating resolving and authoritative services for security
- BIND 9 configuration hardening
- monitoring BIND 9 for security issues

Veröffentlicht in: Technologie

A secure BIND 9 – best practices

  1. 1. BIND 9
 Security best practices ! 10 ways to improve your BIND 9 security 1
  2. 2. © Men & Mice http://menandmice.com BIND 9 Security a collection of security best practice tips from the Men & Mice services team • this is no exhaustive list, but a good start • if you have an important tip we've missed in this webinar, let us know on Twitter @menandmice
 (and we will retweet) 2
  3. 3. © Men & Mice http://menandmice.com Keep BIND 9 "up-to-date" 3
  4. 4. © Men & Mice http://menandmice.com keeping BIND 9 up-to-date from time to time there are security vulnerabilities in BIND 9 • update BIND 9 via the package manager of your Linux/Unix • also monitor security of BIND 9 library dependencies (openssl, libxml2) •ISC announcement mailing list is a good source for BIND 9 security related information 4
  5. 5. © Men & Mice http://menandmice.com keeping BIND 9 up-to-date Keep your BIND 9 software up-to-date •if BIND 9 is not updated by the OS vendor (e.g. MacOS X), use a cross-platform package manager •pkggsrc — https://www.pkgsrc.org •Nix — https://nixos.org/nix/ •subscribe to BIND 9 announce mailing list 
 (low volume, new versions and security announcements only)
 https://lists.isc.org/mailman/listinfo/bind-announce 5
  6. 6. © Men & Mice http://menandmice.com keeping BIND 9 up-to-date consider using a new(er) version of BIND 9 •new security features (like DNSSEC negative trust anchors) •newer/better crypto algorithms for DNSSEC/TSIG •HMAC-SHA256 for TSIG •new elliptic curves for DNSSEC signatures •new privacy features (QNAME minimisation, DNS over TLS … ) 6
  7. 7. © Men & Mice http://menandmice.com Separating
 authoritative and recursive DNS 7
  8. 8. © Men & Mice http://menandmice.com Separating
 authoritative and recursive DNS authoritative DNS server and DNS resolver are separate functions in the DNS infrastructure •they have different security requirements •while BIND 9 can operate in "hybrid" mode (default), it is strongly recommended to separate the two functions •can run on the same hardware with operating system containers or virtualization 8
  9. 9. © Men & Mice http://menandmice,com Functions of a DNS Server cached data Smart resolver authoritative data
  10. 10. © Men & Mice http://menandmice,com 2 Functions of a DNS Server ! ! ! ! ! ! ! ! ! authoritative DNS Server authoritative data Caching DNS Server ! ! ! ! ! ! ! ! cached data Smart resolver
  11. 11. © Men & Mice http://menandmice.com Separating
 authoritative and recursive DNS benefits of separate authoritative and recursive DNS •required for DNSSEC validation of own zones •security configuration optimised for the function 
 (for example query ACLs) •helps troubleshooting (logging) •easier maintenance (Updates) 11
  12. 12. © Men & Mice http://menandmice.com process isolation 12
  13. 13. © Men & Mice http://menandmice.com process isolation chroot is the classic process isolation function in Unix operating systems •chroot confines a process into a subtree of the filesystem •in a proper chroot setup, the process cannot access files outside the chroot subtree 13
  14. 14. © Men & Mice http://menandmice.com process isolation /
 /dev
 /etc
 /bin
 /sbin
 /usr
 /var/chroot/etc
 /dev
 /var/named 14 full Unix filetree view
  15. 15. © Men & Mice http://menandmice.com process isolation /
 /dev
 /etc
 /bin
 /sbin
 /usr
 /var/chroot/dev
 /etc
 /var/named 15 files and directories seen by the chrooted process
  16. 16. © Men & Mice http://menandmice.com process isolation chrooting BIND 9 is easy (compared with other daemon processes or BIND 4/8: named -t /var/named •all files BIND 9 needs during operation must be located inside the chroot directory •all file references in the BIND 9 configuration file are relative to the chroot •this is a source of confusion for some admins 16 chroot directory
  17. 17. © Men & Mice http://menandmice.com process isolation shortcomings of the chroot function • chroot was never designed as a security feature • a real "root" user (UID 0) can find ways to break out of the chroot • isolation is only on the filesystem level, not on process, environment and network level 17
  18. 18. © Men & Mice http://menandmice.com process isolation modern alternatives to chroot: •GRSecurity Linux-Kernel enhanced chroot
 https://grsecurity.net/features.php •Container virtualization: •Linux container (LXC, LXD, docker, firejail, 
 systemd-nspawn) •FreeBSD "jails" •Solaris/Illumnos "zones" 18
  19. 19. © Men & Mice http://menandmice.com process isolation benefits of modern alternatives •process, environment and network isolation •manageability •separation of application (BIND 9 DNS server and utilities) and data (zonefiles, configuration) •enables quick clean rebuild after intrusion 19
  20. 20. © Men & Mice http://menandmice.com DNSSEC 20
  21. 21. © Men & Mice http://menandmice.com DNSSEC classic DNS is vulnerable to a large number of attacks on the content of DNS answers •DNSSEC (digital signatures on DNS data) guards against many of these attacks •the DNS root-zone, all gTLDs and nTLDs and many ccTLDs are DNSSEC signed •many second level domains are also DNSSEC secured 21
  22. 22. © Men & Mice http://menandmice.com DNSSEC BIND 9 comes with a trust-anchor for the Internet Root-Zone build-in •DNSSEC validation can be enabled with just one line of configuration:
 
 options {
 dnssec-validation auto;
 }; 22
  23. 23. © Men & Mice http://menandmice.com DNSSEC enable DNSSEC validation on a DNS resolver •test DNSSEC validation is enabled:
 # rndc validation check
 DNSSEC validation is enabled (view _default)
 
 # dig soa . @127.0.0.1 +adflag
 ; <<>> DiG 9.11.0 <<>> soa . @127.0.0.1 +adflag
 ;; global options: printcmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46337
 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0 23 AD = authentic data
  24. 24. © Men & Mice http://menandmice.com DNSSEC consider DNSSEC signing your zones • modern BIND 9 versions make DNSSEC signing and management easy •the Men & Mice DNSSEC workshop training gives you a place to learn, test DNSSEC and build routine • management can be automated 
 (dnssec-keymgr, CDS/CDNSKEY) •never store private key material on a DNS server exposed to the Internet! 24
  25. 25. © Men & Mice http://menandmice.com minimal responses 25
  26. 26. © Men & Mice http://menandmice.com minimal responses RFC 1034 defines the additional section in a DNS answer as "Carries RRs which may be helpful in using the RRs in the other sections." •in the default configuration, BIND 9 tries to be very helpful, sending additional information ... •... creating larger than needed DNS answer packets •this is sometimes exploited by attackers in distributed denial of service attacks 26
  27. 27. © Men & Mice http://menandmice.com minimal responses 27 DNS is UDP "stateless" communication source IP addresses can be spoofed some DNS Server on the Internet Source IP Address "spoofed" Answer is delivered to the owner of the "spoofed" IP Address
  28. 28. © Men & Mice http://menandmice.com minimal responses 28 There are many many DNS servers to be found in the Internet
  29. 29. © Men & Mice http://menandmice.com minimal responses 29 % dig @ns2.xb.nl. mx ncsc.nl !; <<>> DiG 9.9.2-vjs287.12 <<>> @ns2.xb.nl. mx ncsc.nl ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60070 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 10 ;; WARNING: recursion requested but not available !;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ncsc.nl. IN MX !;; ANSWER SECTION: ncsc.nl. 60 IN MX 20 min3.govcert.nl. ncsc.nl. 60 IN MX 20 min4.govcert.nl. ncsc.nl. 60 IN MX 30 min5.govcert.nl. ncsc.nl. 60 IN MX 40 smtp.espritxb.nl. ncsc.nl. 60 IN MX 10 min1.govcert.nl. ncsc.nl. 60 IN MX 10 min2.govcert.nl. !;; AUTHORITY SECTION: ncsc.nl. 60 IN NS ns1.xb.nl. ncsc.nl. 60 IN NS ns2.xb.nl. !;; ADDITIONAL SECTION: min1.govcert.nl. 60 IN A 193.172.9.50 min2.govcert.nl. 60 IN A 193.172.9.51 min3.govcert.nl. 60 IN A 31.161.17.13 min4.govcert.nl. 60 IN A 31.161.17.14 min5.govcert.nl. 60 IN A 217.169.231.54 smtp.espritxb.nl. 60 IN A 80.248.34.142 smtp.espritxb.nl. 60 IN A 80.248.34.141 ns1.xb.nl. 300 IN A 80.248.34.15 ns2.xb.nl. 300 IN A 212.67.179.100 !;; Query time: 39 msec ;; SERVER: 212.67.179.100#53(212.67.179.100) ;; WHEN: Fri Jan 18 13:02:08 2013 ;; MSG SIZE rcvd: 362 large additional section
  30. 30. © Men & Mice http://menandmice.com minimal responses configure "minimal-responses" in BIND 9
 options {
 minimal-responses yes;
 }; BIND 9 will only return the data
 required for the DNS protocol 
 to work this reduces the 
 "ammo" available 
 to attackers 30 minimal responses enabled during an attack
  31. 31. © Men & Mice http://menandmice.com minimal "ANY" 31
  32. 32. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Minimal ANY •a BIND 9 server getting a query with type ANY (QTYPE 255) will answer with all records matching the requested domain name and class •this can create large UDP DNS answer packets ;; QUESTION SECTION:
 ;menandmice.com. IN ANY
 
 ;; ANSWER SECTION:
 menandmice.com. 86400 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900
 menandmice.com. 3600 IN TXT "HhnTdT3K"
 menandmice.com. 3600 IN TXT "MS=ms81797768"
 menandmice.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com a:smtp.menandmice.is a:support.menandmice.com a:otrs.menandmice.com a:imap2.skyrr.is a:mx.hysing.is ~all"
 ns2.c.is. 84985 IN A 213.176.143.102
 dns1.menandmice.com. 171385 IN A 217.151.171.7
 dns2.menandmice.com. 171385 IN A 217.151.171.21
 dns3.menandmice.com. 171385 IN A 45.79.153.125
 […]
 ;; Query time: 97 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Mon Aug 15 10:49:15 CEST 2016
 ;; MSG SIZE rcvd: 719 32 DNS answer size
  33. 33. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Minimal ANY •starting with BIND 9.11, BIND 9 can be configured to only return the first entry of a matching ANY query •this mitigates the problem without causing (too much) breakage of older software (qmail etc) options {
 minimal-any yes;
 }; 33
  34. 34. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Minimal ANY •same query as before with minimal-any enabled: # dig menandmice.com any ; <<>> DiG 9.11.0b3 <<>> menandmice.com any
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32396
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ; COOKIE: f0a6921ce7023ebc646d789357b1837a0962c60d534b251e (good)
 ;; QUESTION SECTION:
 ;menandmice.com. IN ANY
 ;; ANSWER SECTION:
 menandmice.com. 86033 IN SOA dns1.menandmice.com. hostmaster.menandmice.com. 2016052701 900 300 604800 900
 ;; Query time: 0 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Mon Aug 15 10:55:22 CEST 2016
 ;; MSG SIZE rcvd: 123 34 DNS answer size 123 < 719 Byte
  35. 35. © Men & Mice http://menandmice.com Platform for BIND 9 35
  36. 36. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org OS platform to run BIND 9 •Choose an operating system you as an administrator are most familiar with •Linux, Solaris, OpenBSD, FreeBSD, NetBSD, DragonflyBSD, Windows, AIX, HP-UX, Minix 3, MacOS X • all work well if configured correctly •choose a version that still receives security patches 36
  37. 37. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Minimal Installs •choose a minimal footprint install •no GUI •no unnecessary software (databases, webserver, mailserver, development tools, scripting languages) •minimize the open sockets to the Internet •Port 53 - DNS •Port 22 - SSH for remote administration (no RDP, VNC or TeamViewer) • Port 123 - Network Time Protocol (NTP) •Precision Time Protocol (PTP) might be an alternative 
 (https://en.wikipedia.org/wiki/Precision_Time_Protocol) 37
  38. 38. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org plan for recovery •after detecting a security breach, don't put the compromised system(s) back in business •have a plan to rebuild your services •configuration orchestration tools (Ansible, SaltStack, Puppet, cfengine …) or Container management tools (Docker) can be of great help •only restore data from backup, no executable content (no programs, scripts) •peer-review scripts and configuration with a colleague/ service partner 38
  39. 39. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Hidden Primary •consider a hidden primary DNS setup for zone management 39 Internet DMZ Internal Network zone transfer server visible to the Internet hidden management master
  40. 40. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org OS platform to run BIND 9 •monitor your DNS server for uptime and content •AA-Flag responses for zones on authoritative servers •AD-Flag responses for important query answers from a DNS resolver •more on DNS/DNSSEC monitoring (including tools) in an upcoming Webinar in 2016 40
  41. 41. © Men & Mice http://menandmice.com process image hardening 41
  42. 42. © Men & Mice http://menandmice.com process image hardening Linux (and other modern Unix systems) program binaries can be hardened at compile time •unfortunately, not all distributions enable this security feature 42
  43. 43. © Men & Mice http://menandmice.com process image hardening Some available features: • RELRO • PIE - Position Independent Executables • ASLR - Address Space Layout Randomization • Fortify Source - additional security checks added by the compiler • Stack protector/StackCanary - detect and mitigate stack overflow attacks • NX - Software/Hardware "Non-Executable" Memory tagging •See Compiler options for creating secure DNS Server binaries (on Linux) 
 https://dnsworkshop.org/roller/dnsworkshop/entry/compiler_options_for_creating_secure 43
  44. 44. © Men & Mice http://menandmice.com process image hardening CheckSec script: 
 http://www.trapkit.de/tools/checksec.html # wget http://www.trapkit.de/tools/checksec.sh
 # bash ./checksec.sh --file /usr/sbin/named RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
 Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/sbin/named 44
  45. 45. © Men & Mice http://menandmice.com BIND 9 access control 45
  46. 46. © Men & Mice http://menandmice.com BIND 9 access control for a DNS resolver without zones, restrict the networks that can use the resolver options {
 allow-query { networkblock-acl; };
 }; 46
  47. 47. © Men & Mice http://menandmice.com BIND 9 access control for a BIND 9 server running as a resolver with authoritative zones, restrict the networks that can use recursive queries to the resolver options {
 allow-recursion { networkblock-acl; };
 }; 47
  48. 48. © Men & Mice http://menandmice.com BIND 9 access control on an all authoritative server, disable recursion options {
 recursion no;
 }; 48
  49. 49. © Men & Mice http://menandmice.com BIND 9 access control on an authoritative server, secure zone transfer and updates with TSIG (use tsig-keygen utility) key "tsig-server01-server02" {
 algorithm hmac-sha256;
 secret "JlI8ARXJmNGWj4A4YEezpBqX1hPTYqF2sBJmAmp+uRY=";
 }; server 2001:db8:100::/64 {
 keys { tsig-server01-server02"; };
 }; 49 TSIG signs SOA-queries, notifies and zone-transfer
  50. 50. © Men & Mice http://menandmice.com local private toplevel domain 50
  51. 51. © Men & Mice http://menandmice.com private top level domain using a Local Private Top Level Domain for the internal DNS namespace is a BAD IDEAtm Examples: •.company •.local (collides with mDNS) •.lan •.work 51
  52. 52. © Men & Mice http://menandmice.com private top level domain Problems with private top level domains: •not delegated from the official root — creates delegation and lookup issues •authenticated denial of existence from the ROOT — DNSSEC proves that the domain is not delegated •data leaks •possible collisions with new official top level domains 52
  53. 53. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Empty Zones The root server system sees a high number of queries for 
 non-delegated TLD queries 53
  54. 54. © Men & Mice http://menandmice.com best practice for local namespace if you need a private DNS namespace for internal use •register a second level domain on the Internet •there is now an abundance of choice thanks to the new TLDs — even short names •not expensive ( 9 - 50 US$/year) •delegate the zone to a dummy (empty) zone on the Internet (many registrars provide this "out-of-the box") •use the domain for your internal namespace 54
  55. 55. © Men & Mice http://menandmice.com next @ Men & Mice 55
  56. 56. © Men & Mice http://menandmice.com Upcoming training classes KEA-DHCP October 13 – 14, 2016 - West Coast, USA October 17 – 18, 2016 - East Coast, USA November 21 – 22, 2016 - Amsterdam, The Netherlands Two days - Hands-On class US$ 1795 56 https://www.menandmice.com/support-training/training/kea-dhcp-training/
  57. 57. © Men & Mice http://menandmice.com more training •October 3 – 5, 2016 Introduction to DNS & BIND Hands-On class Arlington (VA), USA •October 3 – 7, 2016 Introduction & Advanced DNS and BIND Topics Hands-on class Arlington (VA), USA •October 5 – 7, 2016 DNSSEC Technical Workshop – Implementation and Deployment Arlington (VA), USA •October 10-14, 2014 "DNS und BIND / DNS Sicherheit" (German) @ Linuxhotel, Essen, Germany 57 https://www.menandmice.com/support-training/training/
  58. 58. © Men & Mice http://menandmice.com our next webinars We are working on a couple new webinars for Q3/Q4 2016, dates will be announced soon in the pipeline: • "DNS reconnaissance" - fighting spam with DNS monitoring data • DNS and DNSSEC monitoring • DNS high availability tools https://www.menandmice.com/resources/educational-resources/webinars/ 58
  59. 59. © Men & Mice http://menandmice.com Thank you! ! Questions? Comments? 59

×