SlideShare a Scribd company logo

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

Download as ODP, PDF
Utah Networxs Consultoria e Treinamento
Utah Networxs Consultoria e Treinamento

Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service. By Utah Networxs Follow - @fabioandpires Follow - @utah_networxs

Technology
1 of 45
“DNSSEC WHAT IS IT ?”
WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
SOCIAL MEDIA Follow! @fabioandpires Follow! @utah_networxs Enjoy! Utah Networxs
Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
WHAT IS DNS SERVER ? “DNS – DOMAIN NAME SYSTEM” Management system is a hierarchical name and distributed operating on two definitions: 1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs).
TYPE OF DNS ? The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machines around the world, they need to resolve domain names in the area over which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, in order to obtain answers to queries made.
DNS RFC'S The roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034 http://tools.ietf.org/html/rfc1035
THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS 13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs (Generic Top Level Domains - generic domains used worldwide) and ccTLDs (Country Code Top Level Domains - domain extensions administered by countries).
THE DNS ROOT SERVER WORD MAP
OPERATION OF DNS SERVER
WHY DNS SERVER ARE COMPROMISED? DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING; Reponse Same UDP Port QUESTION section refered true question QUERY ID fits QUESTION Section AUTHORITY and ADDITIONAL name is the same domain QUERY
Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG – Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two shares Used mainly in zone transfers (master and slave) same domain QUERY
TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system of asymmetric keys. This means that someone with a domain compatible with DNSSEC has a pair of electronic keys consisting of a private key and a public key.
DNS VS DNSSEC
PRATICE DNS SERVER #CHROOT JAIL
CHROOT BIND IN CHROOT JAIL / bin boot bin chroot boot dev dev etc etc home home lib lib mnt mnt opt opt proc proc root root sbin sbin dev tmp tmp etc bind usr usr lib var var lib named var
MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chroot root@moe:~# apt-get install debootstrap root@moe:~# cd /chroot root@moe:~# debootstrap squeeze .
SOLVED FUTURE JAIL PROBLEMS 01 – Mount /dev/ and /dev/pts devices root@moe:~# mount --bind /dev /chroot/dev root@moe:~# mount --bind /dev/pts /chroot/dev/pts 02 – Set CHROOT jail root@moe:~# cd .. root@moe:~# chroot /chroot
INSTALL PACKAGES root@moe:~# apt-get install sysklogd openssh-server vim bind9 MAIN CONFIG BIND9 FILES /etc/bind /etc/default/bind BIND9 SCRIPT INIT /etc/init.d/bind9
MAKE DIRECTORIES root@moe:~# mkdir -p /var/lib/named root@moe:~# mkdir -p /var/lib/named/etc/bind root@moe:~# mkdir -p /var/lib/named/dev root@moe:~# mkdir -p /var/lib/named/var/cache/bind root@moe:~# mkdir -p /var/lib/named/var/run/bind/run root@moe:~# mkdir -p /var/lib/named/var/run/named root@moe:~# mkdir -p /var/lib/named/lib
EDIT DEFAULT FILES root@moe:~# vi /etc/bind/default Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named” root@moe:~# vi /etc/init.d/bind9 Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named”
COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/ CHANGE DEFAUL OWNER USER AND GROUP root@moe:~# chown –R bind.bind /var/lib/named
CREATE BLOCK FILES root@moe:~# cd /var/lib/named/dev root@moe:~# mknod null c 1 3 root@moe:~# mknod random c 1 8 root@moe:~# mknod zero c 1 5 root@moe:~# mknod urandom c 1 9
RESTART BIND9 SERVICE root@moe:~# invoke-rc.d bind9 restart
MAIN CONFIGURE FILES  named.conf  named.conf.options  zones/db.direta.interna  zones/db.reversa.interna  zones/db.direta.externa  zones/db.reversa.externa
ACLS AND VIEWS CONCEPT ACL – Access Control List Views
CONFIGURE NAMED.CONF acl intranet { 192.168.0.0/16; }; acl extranet { 0.0.0.0/0; };
CONFIGURE NAMED.CONF view bsidesplocal { match-clients { "intranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.interna.direta"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.interna.reversa"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; };
CONFIGURE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
NAMED.CONF GLOSSARY Line beginning with '/ /' = commented line include = Includes the specified file acl = Defines an Access List Zone = Sets a Zone type = Defines the type of zone file = Shows the full path of the configuration of the zone allow-transfer servers = Sets Slaves to receive updates from this server update-policy local = Line used to update automatic spot in our case used to re-sign zones automatically expire before the keys key-directory = Indicates the directory that contains the key areas necessary to update-policy is successful also-notify = Indicates that the master server sends updates to the slave server every time bind restarts Notify = defines whether or not there will be no notifications area
DB.ZONES FILES root@moe:~# mkdir /var/lib/named/etc/bind/zones root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
DIRECT ZONE EXAMPLE $TTL 86400 l @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( l l 2012101801 ; Serial l 1200 ; Refresh l 2400 ; Retry l 4800 ; Expire l 1209600 ) ; Negative Cache TTL l ; l l @ IN NS moe.bsidesp.utah.net.br. l @ IN NS homer.bsidesp.utah.net.br. l @ IN MX 5 moe.bsidesp.utah.net.br. l @ IN MX 10 homer.bsidesp.utah.net.br. l @ IN A 189.100.100.10 l @ IN A 189.99.99.9 l l moe IN A 189.99.99.9 l homer IN A 187.100.100.10 l ftp IN CNAME homer.bsidesp.utah.net.br. l pop IN CNAME homer.bsidesp.utah.net.br
REVERSE ZONE EXAMPLE $TTL 86400 @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL ; @ IN NS moe.bsidesp.utah.net.br. @ IN NS homer.bsidesp.utah.net.br. @ IN MX 5 moe.bsidesp.utah.net.br. @ IN MX 10 homer.bsidesp.utah.net.br. 9 IN PTR moe.bsidesp.utah.net.br. 10 IN PTR homer.bsidesp.utah.net.br. 10 IN PTR www.bsidesp.utah.net.br. 10 IN PTR ftp.bsidesp.utah.net.br. 10 IN PTR pop.bsidesp.utah.net.br.
GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
CLOSE RECURSIVE QUERY root@moe:~# vi /var/lib/named/etc/bind/named.conf.options l auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internals; externals; }; allow-recursion { internals; }; dnssec-enable yes; l
MAKE KEY DNSSEC root@moe:~# mkdir /var/lib/named/etc/bind/zones/keys root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones/keys root@moe:/var/lib/named/etc/bind/zones/keys# dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5 –b 2048 –K /var/lib/named/etc/bind/zones/keys – n ZONE bsidesp.utah.net.br
GLOSSARY OPTIONS -r = device-ramdomização -type f = key -a = Encryption Algorithm -b = Key Size -K = Directory Keys -n = Zone
ASSIGN ZONES root@moe:/var/lib/named/etc/bind/zones/keys# l dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N unixtime –o bsidesp.utah.net.br /var/lib/named/etc/bind/zones/db.externa.direta
GLOSSARY OPTIONS S = Signature-intelligent, search keys zone; -z = Ignores the SEP bit key and signs throughout the area; -K = Directory of the Keys; N-Format = Serial SOA, in our case we use 'unixtime' to increment the serial with the signature; -o = Zone and Zone Configuration File.
CHANGE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
SHARED IN REGISTRO.BR
GET KEYTAG AND DIGEST root@moe:/var/lib/named/etc/bind/zones/keys# cat bsidesp.utah.net.br | head -1 bsidesp.utah.net.br IN DS 51074 1 1 D836A983AE90B051414E88D62379A94C9C9F71DD Keytag = 51074 Digest = D836A983AE90B051414E88D62379A94C9C9F71DD
DOBTS ? SPECIAL THANKS ISAIAS SOUZA SILVA
SOURCES OF RESEARCH BIND9 PROJECT https://www.isc.org/software/bind REGISTRO.BR www.registro.br QGSEG http://www.qgseg.com.br/ WIKIPEDIA http://pt.wikipedia.org

Recommended

DevOps with Ansible
DevOps with AnsibleDevOps with Ansible
DevOps with Ansible
Swapnil Jain
 
Kuberenetes - From Zero to Hero
Kuberenetes - From Zero to HeroKuberenetes - From Zero to Hero
Kuberenetes - From Zero to Hero
Ori Stoliar
 
Apresentacao Suse
Apresentacao SuseApresentacao Suse
Apresentacao Suse
Jamildo Feitosa
 
Real time simulation with HLA and DDS
Real time simulation with HLA and DDSReal time simulation with HLA and DDS
Real time simulation with HLA and DDS
José Ramón Martínez Salio
 
Alphorm.com Formation Kubernetes : Installation et Configuration
Alphorm.com Formation Kubernetes : Installation et ConfigurationAlphorm.com Formation Kubernetes : Installation et Configuration
Alphorm.com Formation Kubernetes : Installation et Configuration
Alphorm
 
History of Linux
History of LinuxHistory of Linux
History of Linux
Gray-chan Desu
 
Esclavizando celulares
Esclavizando celularesEsclavizando celulares
Esclavizando celulares
PedroMesiasMejia
 
NetApp against ransomware
NetApp against ransomwareNetApp against ransomware
NetApp against ransomware
Damien Berezenko
 

Recommended

DevOps with Ansible
DevOps with AnsibleDevOps with Ansible
DevOps with Ansible
Swapnil Jain
 
Kuberenetes - From Zero to Hero
Kuberenetes - From Zero to HeroKuberenetes - From Zero to Hero
Kuberenetes - From Zero to Hero
Ori Stoliar
 
Apresentacao Suse
Apresentacao SuseApresentacao Suse
Apresentacao Suse
Jamildo Feitosa
 
Real time simulation with HLA and DDS
Real time simulation with HLA and DDSReal time simulation with HLA and DDS
Real time simulation with HLA and DDS
José Ramón Martínez Salio
 
Alphorm.com Formation Kubernetes : Installation et Configuration
Alphorm.com Formation Kubernetes : Installation et ConfigurationAlphorm.com Formation Kubernetes : Installation et Configuration
Alphorm.com Formation Kubernetes : Installation et Configuration
Alphorm
 
History of Linux
History of LinuxHistory of Linux
History of Linux
Gray-chan Desu
 
Esclavizando celulares
Esclavizando celularesEsclavizando celulares
Esclavizando celulares
PedroMesiasMejia
 
NetApp against ransomware
NetApp against ransomwareNetApp against ransomware
NetApp against ransomware
Damien Berezenko
 
Windows 11 updates
Windows 11 updatesWindows 11 updates
Windows 11 updates
Jatin_Singh
 
Kubernetes University, Cap sur l’orchestration Docker
Kubernetes University, Cap sur l’orchestration DockerKubernetes University, Cap sur l’orchestration Docker
Kubernetes University, Cap sur l’orchestration Docker
Jean-Baptiste Claramonte
 
Oracle Web Logic server
Oracle Web Logic serverOracle Web Logic server
Oracle Web Logic server
Rakesh Gujjarlapudi
 
Linux history & features
Linux history & featuresLinux history & features
Linux history & features
Rohit Kumar
 
Linux
LinuxLinux
Linux
Sunoj Kashyap
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Luong Vo
 
Difference between linux and windows operating system
Difference between linux and windows operating systemDifference between linux and windows operating system
Difference between linux and windows operating system
Pulkitmodi1998
 
OMG DDS: The Data Distribution Service for Real-Time Systems
OMG DDS: The Data Distribution Service for Real-Time SystemsOMG DDS: The Data Distribution Service for Real-Time Systems
OMG DDS: The Data Distribution Service for Real-Time Systems
Angelo Corsaro
 
A History of Linux
A History of LinuxA History of Linux
A History of Linux
Damian T. Gordon
 
Terraform in production - experiences, best practices and deep dive- Piotr Ki...
Terraform in production - experiences, best practices and deep dive- Piotr Ki...Terraform in production - experiences, best practices and deep dive- Piotr Ki...
Terraform in production - experiences, best practices and deep dive- Piotr Ki...
PROIDEA
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Sridhar Kumar N
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application Virtualization
James W. De Rienzo
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGI
Mike Pittaro
 
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue
 
Temperatura Zabbix Procedimento Temper Usb
Temperatura Zabbix Procedimento Temper UsbTemperatura Zabbix Procedimento Temper Usb
Temperatura Zabbix Procedimento Temper Usb
Thiago Santos
 
Veeam Software : Sauvegarde et protection moderne des données
Veeam Software : Sauvegarde et protection moderne des données Veeam Software : Sauvegarde et protection moderne des données
Veeam Software : Sauvegarde et protection moderne des données
Microsoft Technet France
 
Ubuntu File System
Ubuntu File SystemUbuntu File System
Ubuntu File System
Bhagyesh Patel
 
Linux
LinuxLinux
Linux
salamassh
 
MySQL Technology Cafe #12 MDS HA検証 ~パラメータからパフォーマンスまで~
MySQL Technology Cafe #12 MDS HA検証 ~パラメータからパフォーマンスまで~MySQL Technology Cafe #12 MDS HA検証 ~パラメータからパフォーマンスまで~
MySQL Technology Cafe #12 MDS HA検証 ~パラメータからパフォーマンスまで~
オラクルエンジニア通信
 
Linux
LinuxLinux
Linux
International Islamic University
 
Dns
DnsDns
Dns
Md Shihab
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
Maarten Balliauw
 

More Related Content

What's hot

Linux history & features
Linux history & featuresLinux history & features
Linux history & features
Rohit Kumar
 
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue
 
Veeam Software : Sauvegarde et protection moderne des données
Veeam Software : Sauvegarde et protection moderne des données Veeam Software : Sauvegarde et protection moderne des données
Veeam Software : Sauvegarde et protection moderne des données
Microsoft Technet France
 

What's hot (20)

Windows 11 updates
Windows 11 updatesWindows 11 updates
Windows 11 updates
 
Kubernetes University, Cap sur l’orchestration Docker
Kubernetes University, Cap sur l’orchestration DockerKubernetes University, Cap sur l’orchestration Docker
Kubernetes University, Cap sur l’orchestration Docker
 
Oracle Web Logic server
Oracle Web Logic serverOracle Web Logic server
Oracle Web Logic server
 
Linux history & features
Linux history & featuresLinux history & features
Linux history & features
 
Linux
LinuxLinux
Linux
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Difference between linux and windows operating system
Difference between linux and windows operating systemDifference between linux and windows operating system
Difference between linux and windows operating system
 
OMG DDS: The Data Distribution Service for Real-Time Systems
OMG DDS: The Data Distribution Service for Real-Time SystemsOMG DDS: The Data Distribution Service for Real-Time Systems
OMG DDS: The Data Distribution Service for Real-Time Systems
 
A History of Linux
A History of LinuxA History of Linux
A History of Linux
 
Terraform in production - experiences, best practices and deep dive- Piotr Ki...
Terraform in production - experiences, best practices and deep dive- Piotr Ki...Terraform in production - experiences, best practices and deep dive- Piotr Ki...
Terraform in production - experiences, best practices and deep dive- Piotr Ki...
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application Virtualization
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGI
 
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
 
Temperatura Zabbix Procedimento Temper Usb
Temperatura Zabbix Procedimento Temper UsbTemperatura Zabbix Procedimento Temper Usb
Temperatura Zabbix Procedimento Temper Usb
 
Veeam Software : Sauvegarde et protection moderne des données
Veeam Software : Sauvegarde et protection moderne des données Veeam Software : Sauvegarde et protection moderne des données
Veeam Software : Sauvegarde et protection moderne des données
 
Ubuntu File System
Ubuntu File SystemUbuntu File System
Ubuntu File System
 
Linux
LinuxLinux
Linux
 
MySQL Technology Cafe #12 MDS HA検証 ~パラメータからパフォーマンスまで~
MySQL Technology Cafe #12 MDS HA検証 ~パラメータからパフォーマンスまで~MySQL Technology Cafe #12 MDS HA検証 ~パラメータからパフォーマンスまで~
MySQL Technology Cafe #12 MDS HA検証 ~パラメータからパフォーマンスまで~
 
Linux
LinuxLinux
Linux
 

Similar to DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
Peter R. Egli
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
viditsir
 

Similar to DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL (20)

Dns
DnsDns
Dns
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)
 
DNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealDNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo Montreal
 
Dns
DnsDns
Dns
 
Dns
DnsDns
Dns
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name Service
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 
DNS
DNSDNS
DNS
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Introduction
IntroductionIntroduction
Introduction
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-parti
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS Configuration
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
DNSPresentation.pptx
DNSPresentation.pptxDNSPresentation.pptx
DNSPresentation.pptx
 
Rhel4
Rhel4Rhel4
Rhel4
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

  • 2. WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  • 3. SOCIAL MEDIA Follow! @fabioandpires Follow! @utah_networxs Enjoy! Utah Networxs
  • 4. Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  • 5. WHAT IS DNS SERVER ? “DNS – DOMAIN NAME SYSTEM” Management system is a hierarchical name and distributed operating on two definitions: 1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs).
  • 6. TYPE OF DNS ? The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machines around the world, they need to resolve domain names in the area over which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, in order to obtain answers to queries made.
  • 7. DNS RFC'S The roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034 http://tools.ietf.org/html/rfc1035
  • 8. THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS 13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs (Generic Top Level Domains - generic domains used worldwide) and ccTLDs (Country Code Top Level Domains - domain extensions administered by countries).
  • 9. THE DNS ROOT SERVER WORD MAP
  • 11. WHY DNS SERVER ARE COMPROMISED? DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING; Reponse Same UDP Port QUESTION section refered true question QUERY ID fits QUESTION Section AUTHORITY and ADDITIONAL name is the same domain QUERY
  • 12. Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG – Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two shares Used mainly in zone transfers (master and slave) same domain QUERY
  • 13. TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system of asymmetric keys. This means that someone with a domain compatible with DNSSEC has a pair of electronic keys consisting of a private key and a public key.
  • 15. PRATICE DNS SERVER #CHROOT JAIL
  • 16. CHROOT BIND IN CHROOT JAIL / bin boot bin chroot boot dev dev etc etc home home lib lib mnt mnt opt opt proc proc root root sbin sbin dev tmp tmp etc bind usr usr lib var var lib named var
  • 17. MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chroot root@moe:~# apt-get install debootstrap root@moe:~# cd /chroot root@moe:~# debootstrap squeeze .
  • 18. SOLVED FUTURE JAIL PROBLEMS 01 – Mount /dev/ and /dev/pts devices root@moe:~# mount --bind /dev /chroot/dev root@moe:~# mount --bind /dev/pts /chroot/dev/pts 02 – Set CHROOT jail root@moe:~# cd .. root@moe:~# chroot /chroot
  • 19. INSTALL PACKAGES root@moe:~# apt-get install sysklogd openssh-server vim bind9 MAIN CONFIG BIND9 FILES /etc/bind /etc/default/bind BIND9 SCRIPT INIT /etc/init.d/bind9
  • 20. MAKE DIRECTORIES root@moe:~# mkdir -p /var/lib/named root@moe:~# mkdir -p /var/lib/named/etc/bind root@moe:~# mkdir -p /var/lib/named/dev root@moe:~# mkdir -p /var/lib/named/var/cache/bind root@moe:~# mkdir -p /var/lib/named/var/run/bind/run root@moe:~# mkdir -p /var/lib/named/var/run/named root@moe:~# mkdir -p /var/lib/named/lib
  • 21. EDIT DEFAULT FILES root@moe:~# vi /etc/bind/default Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named” root@moe:~# vi /etc/init.d/bind9 Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named”
  • 22. COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/ CHANGE DEFAUL OWNER USER AND GROUP root@moe:~# chown –R bind.bind /var/lib/named
  • 23. CREATE BLOCK FILES root@moe:~# cd /var/lib/named/dev root@moe:~# mknod null c 1 3 root@moe:~# mknod random c 1 8 root@moe:~# mknod zero c 1 5 root@moe:~# mknod urandom c 1 9
  • 24. RESTART BIND9 SERVICE root@moe:~# invoke-rc.d bind9 restart
  • 25. MAIN CONFIGURE FILES  named.conf  named.conf.options  zones/db.direta.interna  zones/db.reversa.interna  zones/db.direta.externa  zones/db.reversa.externa
  • 26. ACLS AND VIEWS CONCEPT ACL – Access Control List Views
  • 27. CONFIGURE NAMED.CONF acl intranet { 192.168.0.0/16; }; acl extranet { 0.0.0.0/0; };
  • 28. CONFIGURE NAMED.CONF view bsidesplocal { match-clients { "intranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.interna.direta"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.interna.reversa"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; };
  • 29. CONFIGURE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  • 30. NAMED.CONF GLOSSARY Line beginning with '/ /' = commented line include = Includes the specified file acl = Defines an Access List Zone = Sets a Zone type = Defines the type of zone file = Shows the full path of the configuration of the zone allow-transfer servers = Sets Slaves to receive updates from this server update-policy local = Line used to update automatic spot in our case used to re-sign zones automatically expire before the keys key-directory = Indicates the directory that contains the key areas necessary to update-policy is successful also-notify = Indicates that the master server sends updates to the slave server every time bind restarts Notify = defines whether or not there will be no notifications area
  • 31. DB.ZONES FILES root@moe:~# mkdir /var/lib/named/etc/bind/zones root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
  • 32. DIRECT ZONE EXAMPLE $TTL 86400 l @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( l l 2012101801 ; Serial l 1200 ; Refresh l 2400 ; Retry l 4800 ; Expire l 1209600 ) ; Negative Cache TTL l ; l l @ IN NS moe.bsidesp.utah.net.br. l @ IN NS homer.bsidesp.utah.net.br. l @ IN MX 5 moe.bsidesp.utah.net.br. l @ IN MX 10 homer.bsidesp.utah.net.br. l @ IN A 189.100.100.10 l @ IN A 189.99.99.9 l l moe IN A 189.99.99.9 l homer IN A 187.100.100.10 l ftp IN CNAME homer.bsidesp.utah.net.br. l pop IN CNAME homer.bsidesp.utah.net.br
  • 33. REVERSE ZONE EXAMPLE $TTL 86400 @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL ; @ IN NS moe.bsidesp.utah.net.br. @ IN NS homer.bsidesp.utah.net.br. @ IN MX 5 moe.bsidesp.utah.net.br. @ IN MX 10 homer.bsidesp.utah.net.br. 9 IN PTR moe.bsidesp.utah.net.br. 10 IN PTR homer.bsidesp.utah.net.br. 10 IN PTR www.bsidesp.utah.net.br. 10 IN PTR ftp.bsidesp.utah.net.br. 10 IN PTR pop.bsidesp.utah.net.br.
  • 34. GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
  • 35. GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
  • 36. CLOSE RECURSIVE QUERY root@moe:~# vi /var/lib/named/etc/bind/named.conf.options l auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internals; externals; }; allow-recursion { internals; }; dnssec-enable yes; l
  • 37. MAKE KEY DNSSEC root@moe:~# mkdir /var/lib/named/etc/bind/zones/keys root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones/keys root@moe:/var/lib/named/etc/bind/zones/keys# dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5 –b 2048 –K /var/lib/named/etc/bind/zones/keys – n ZONE bsidesp.utah.net.br
  • 38. GLOSSARY OPTIONS -r = device-ramdomização -type f = key -a = Encryption Algorithm -b = Key Size -K = Directory Keys -n = Zone
  • 39. ASSIGN ZONES root@moe:/var/lib/named/etc/bind/zones/keys# l dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N unixtime –o bsidesp.utah.net.br /var/lib/named/etc/bind/zones/db.externa.direta
  • 40. GLOSSARY OPTIONS S = Signature-intelligent, search keys zone; -z = Ignores the SEP bit key and signs throughout the area; -K = Directory of the Keys; N-Format = Serial SOA, in our case we use 'unixtime' to increment the serial with the signature; -o = Zone and Zone Configuration File.
  • 41. CHANGE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  • 43. GET KEYTAG AND DIGEST root@moe:/var/lib/named/etc/bind/zones/keys# cat bsidesp.utah.net.br | head -1 bsidesp.utah.net.br IN DS 51074 1 1 D836A983AE90B051414E88D62379A94C9C9F71DD Keytag = 51074 Digest = D836A983AE90B051414E88D62379A94C9C9F71DD
  • 44. DOBTS ? SPECIAL THANKS ISAIAS SOUZA SILVA
  • 45. SOURCES OF RESEARCH BIND9 PROJECT https://www.isc.org/software/bind REGISTRO.BR www.registro.br QGSEG http://www.qgseg.com.br/ WIKIPEDIA http://pt.wikipedia.org