Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK APPLICATIONS

DNS security

  • Transaction SIGning (TSIG) for zone transfers
    • Synchronise clocks between the nameservers, create and distribute a shared secret - the TSIG key.
    • On the primary server, create an access list specifying which keys are allowed for transfers.
    • On the slave server(s), specify which keys to use when contacting which primary servers.

    The primary nameserver notifies the slave server(s) when a change has occurred to a zone file. Zone transfers are initiated by the slave server - a pull.

    Create a key

    # dnssec-keygen -b 128 -a HMAC-MD5 -n HOST dnssvr-ubuntu64.
    Kdnssvr-ubuntu64.+157+43930.key   Kdnssvr-ubuntu64.+157+43930.private
    

    Create a file to hold the newly created key e.g. - /etc/bind/tsig.key

    key "dnssvr-ubunt64." {
         algorithm hmac-md5;
         secret "mFfTvz6ElvCmJhJ1IquMSQ==";
    };
    

    This file contains the contents of 'Kdnssvr-ubuntu64.+157+43930.key'.

    Or you cound add the lines to both (primary and slave(s)) nameserver's 'named.conf', separate file is more secure. The '.key' file or 'named.conf' entry must be exactly the same on master and slave nameservers.

    Configure slave nameserver(s) to use TSIG for zone transfers - named.conf

    .....
    include "/etc/bind/tsig.key";
         server 192.168.0.2 {                // IP of primary server
         keys { dnssvr-ubuntu64. ; };
     };
    

    Sign notifications as well as the zone transfers (On the primary) - named.conf

         .....  
         server 192.168.0.3 {                // ip of secondary server
         keys { dnssvr-ubuntu64. ; };        // Use the key 'dnssvr-ubuntu64.' when
                                             // communicating with 192.168.0.3
    };
    

    The above assumes that:

    • Zone entries in 'named.conf' on slave nameservers have been configured correctly - type slave.
    • Primary nameserver has been configured to allow-transfers and to notify slave nameservers.
    • An NS record exists in the zone file for the slave nameservers - optional - as also-notify can be used instead.
  • Domain Name System Security Extension (DNSSEC)

    The basics - an introduction.

    • DNSSEC enabled authoritative servers provide digital signatures across RR sets in addition to "standard" DNS data.
    • DNSSEC validating resolvers provide authenticated responses with proven integrity.
    • Validation is done on the recursive, not authoritative servers.
    • Clients using validating resolvers get 'guaranteed' 'good' data.
    • Data that does not validate provides a "SERVFAIL" response from the upstream resolver.

    Enable DNSSEC on authoritative server's named.conf

    options {
         dnssec-enable yes;
    };
    

    Enable DNSSEC on recursive server's named.conf

    options {
         dnssec-enable yes;
         dnssec-validation yes;
    };
    
    DNSSEC enable a zone

    For each zone, two keys are created:

    Zone Signing Key(ZSK)

    Used to sign the data within the zone Generate ZSK and KSK

    SEP or Key Signing Key(KSK)

    Used to sign the Zone signing key and to create the "Secure Entry Point(SEP)".

    Generate ZSK for a zone

    # dnssec-keygen -r /dev/random -b 512 -a RSASHA1 -n ZONE my-home.com
    Kmy-home.com.+005+25608.key  Kmy-home.com.+005+25608.private
    

    Generate KSK for a zone

    # dnssec-keygen -r /dev/random -b 512 -a RSASHA1 -f KSK -n ZONE my-home.com
    Kmy-home.com.+005+31111.key Kmy-home.com.+005+31111.private
    

    Include the public keys in the zone files that are to be signed

    $INCLUDE "/etc/bind/Kmy-home.com.+005+25608.key"
    $INCLUDE "/etc/bind/Kmy-home.com.+005+31111.key"
    

    or

    # cat Kzonename+*.key >> zonefile
    
  • DNSSEC zone file signing
    dnssec-signzone

    Requires adding the RRSIG, NSEC and associated records to the zone.

    dnssec-signzone
    dnssec-signzone [-o zonename]
                    [ -N INCREMENT]
                    [ -k KSKfile]
                    zonefile
                    [ZSKfile]
    
    Some options:
     -o zonename        defaults to zonefile => Name the file after the zone
     -N INCREMENT       increments zonefile serial number or increment manually
    

    Sign a zone

    # dnssec-signzone -r /dev/random -o my-home.com \
    -k /etc/bind/Kmy-home.com.+005+31111.key db.my-home.com \
    /etc/bind/Kmy-home.com.+005+25608.key
    db.my-home.com.signed
    

    Edit named.conf to point to the new signed zonefile

    zone "my-hom.com" {
         file "/etc/bind/db.my-hom.com.signed";      // old zone file was db.my-hom.com
    };
    

    Reload zone

    # rndc reconfig
    # rndc flush
    

    Provide parent zone with DS records

    In the case of a DNSSEC unaware parent, provide DLV registry with DLV records.

  • DNSSEC zone maintenance

    Required periodically, signatures have lifespans. Expired signatures lead to zones that will not validate.

    Born-on date

    1 hour prior to running 'dnssec-signzone'

    Expiration date

    30 days after running 'dnssec-signzone'

    Any time a zone is modified or at least every 30 days (minus TTL) re-run 'dnssec-signzone'. If not done, Zone data will become stale, Zone data will be GONE.

    Key maintenance - automation now exists.

    • KSK should be rolled once a year.
    • ZSK should be rolled every 3 months.
  • Some security related options

    Sample entries - named.conf

    options {
      version "A working one";                          // Masks version number denying 
                                                        // version specific exploits.
    
      listen-on { 192.168.0.2; };                       // Only listen on this interface
    
      allow-query { "my-home-lan"; localhost;};         // Allow queries from my-home-lan.com
                                                        // - is more SECURE
    
      allow-recursion { "my-home-lan"; localhost;};     // More SECURE - reduce risk of cache 
                                                        // poisoning.
    
      dnssec-enable yes;                                // Enable dnssec for/with zone signing
    
      allow-transfer { "none"; };                       // Slaves enabled in specific zones
    
      recursion no;                                     // Enable on a per zone basis
    };
    
  • Chrooting BIND9

    Create a user for bind to run in

    # adduser --system --group --no-create-home named
    
    # grep named /etc/passwd
    named:x:200:200:Nameserver:/chroot/named:/bin/false
    
    # grep named /etc/group
    named:x:200:
    

    Create directories

    # mkdir -p /chroot/named
    # cd /chroot/named
    # mkdir -p dev etc/namedb/slave var/run
    

    Copy existing bind data to the 'jail'

    # cp -p /etc/bind/named.conf /chroot/named/etc/
    # cp -a /var/named/* /chroot/named/etc/namedb/
    # chown -R named:named /chroot/named/etc/namedb/slave
    # chown named:named /chroot/named/var/run
    

    Create system support files

    # mknod /chroot/named/dev/null c 1 3
    # mknod /chroot/named/dev/random c 1 8
    # chmod 666 /chroot/named/dev/{null,random}
    

    Tighten permissions

    # chown root /chroot
    # chmod 700 /chroot
    # chown named:named /chroot/named
    # chmod 700 /chroot/named
    

    Could well be a script that does most if not all of this now.

    Configure logging for chroot'd BIND - /etc/syslog.conf

    SYSLOGD_PARAMS="-a /chroot/named/dev/log"          (SuSe)
    OPTIONS_SYSLOGD="-m 0 -a /chroot/named/dev/log"    (Caldera)
    SYSLOGD="-m 0 -a /chroot/named/dev/log"            (Debian /etc/default/syslogd)
    daemon syslogd -m 0 -a /chroot/named/dev/log       (SysV init (RH) /etc/rc.d/init.d/syslog)
    

    Stop/Start syslogd

    # /etc/rc.d/init.d/syslog stop
    # /etc/rc.d/init.d/syslog start
    

    Miscellaneous - Debian - /etc/default/bind9

    OPTIONS="-u bind"                         // Run as user bind
    RESOLVCONF=yes
    
  • Stealth name server

    Also known as DMZ or Split name server. It is a name server which does not appear in any publicly visible NS Records for the domain.

    The key issue in a Stealth (a.k.a. Split) DNS system is that there is a clear line of demarcation between the Internal Stealth server(s) and the External or Public DNS servers(s).

    The Stealth Servers will provide a comprehensive set of services to internal users, caching, recursive queries and would be configured as a typical Master DNS. The External server may provide limited services, typically be configured as an Authoritative Only DNS server.

    Two critical points

    (1) The zone file for the Stealth server will contain both public and private hosts, whereas the Public server's master zone file will contain only public hosts.

    (2) To preserve the stealth nature it is vital that the PUBLIC DNS configuration does not include options such as master, allow-notify, allow-transfer etc. with references to the IP of the Stealth server.

    View statement example - named.conf

    On the stealth server use the view statement to split the zone file into external and internal zones.

    • The internal zone will be accessible to all internal systems and will also provide external mappings for internet/mail access ...
    • The external zone will be accessible to anyone but will only contain public addresses - no internal ones.
    acl "slaves" { 192.168.0.3; };
    acl "internals" { 127.0.0.0/8; 192.168.0.0/24; };
    zone "example.com" {
         type master;
         file "/etc/bind/db.example.com";
         allow-transfer { slaves; };
    };
    
    view "internal" {
         match-clients { internals; };
         recursion yes;
         zone "example.com" {
             type master;
             file "/etc/bind/internals/db.example.com";
         };
    };
    
    view "external" {
         match-clients { any; };
         recursion no;
         zone "example.com" {
             type master;
             file "/etc/bind/externals/db.example.com";
             allow-transfer { slaves; };
         };
    };
    

    Example zone file - db.example.com

    $TTL    604800
    @       IN      SOA     ns1.example.com. root.example.com. (
                         2006020201 ; Serial
                             604800 ; Refresh
                              86400 ; Retry
                            2419200 ; Expire
                             604800); Negative Cache TTL
    ;
    @       IN      NS      ns1
            IN      MX      10 mail
            IN      A       192.168.0.1
    ns1     IN      A       192.168.0.1
    mail    IN      A       192.168.0.128              // Mail server somewhere else.
    www     IN      A       192.168.0.1
    client1 IN      A       192.168.0.201              // Connect to client1 very often.
    

    Copy this file to /etc/bind/externals/db.example.com

    Create internal zone file - /etc/bind/internals/db.example.com

    // This contains only local/internal systems that we do not want anyone else to see.  
    // To provide external connectivity and simplify maintenance INCLUDE an external 
    // zonefile 
    
    $include "/etc/bind/externals/db.example.com"
    @       IN      A       198.168.0.1
    boss    IN      A       198.168.0.100
    printer IN      A       198.168.0.101
    scrtry  IN      A       198.168.0.102
    sip01   IN      A       198.168.0.201
    lab     IN      A       198.168.0.103