pavement

BIND, securing

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(Poison is bad)
(Poison is bad: - updated with how DNS poisoning actually works)
Line 15: Line 15:
  
 
==Poison is bad==
 
==Poison is bad==
DNS poisoning is fairly easy to get: run a server that allows recursive lookups and acts as authoritative for your  domain. It's that easy. It works like this: a [[black hat]] will get his bad domain, spamandviruses.com and do a lookup against your name server for it. Now your nameserver has the DNS lookup info for spamandviruses.com cached. Then they'll go to their registrar and assign their authoritative DNS server to be ''your'' DNS server; alternately, they can add NS (nameserver) records for the DNS they want to poison in their DNS (see the djb link below) as well as pointing their bad domain records to that NS.
+
DNS cache poisoning is one of many REALLY good reasons not to keep running ancient and outdated DNS services (like the BIND4 that shipped on those Sun servers your organization insists on maintaining for at least 30 more years). It works like this:  
  
Now they are free to spam and every name lookup for spamandviruses.com goes to YOUR dns server, and within a few days or hours you'll find your DNS server on a blacklist or five. Congratulations, your DNS has been poisoned.
+
# First, a [[black hat]] registers a domain, poisoner.tld, and sets his own nameserver, ns1.poisoner.tld, as its [[authoritative nameserver]].
 +
# Then, he creates an NS record in his poisoner.tld [[zone file]] which tells anybody looking up poisoner.tld to look it up at your nameserver, ns.victim.tld.
 +
# Here's the tricky part - now he creates an A record in his poisoner.tld [[zone file]] that says that your nameserver, ns.victim.tld, can be found at his ''own'' IP address.
 +
# Finally, the stage is set: now, the [[black hat]] just asks your ns1.victim.tld to look up poisoner.tld.  When ns1.victim.tld asks the [[root servers]] where to find the records for poisoner.tld, they tell it to ask ns1.poisoner.tld.  Then when ns1.victim.tld asks ns1.poisoner.tld where to find poisoner.tld, it is told to look on ns1.victim.tld - ''and it's told that ns1.victim.tld's IP address is the same one for ns1.poisoner.tld.''  Since ns1.victim.tld caches query results to improve performance, it will now tell anyone who asks it that ns1.victim.tld is actually ns1.poisoner.tld.
 +
# The end result: now, when user niceguy tries to go to www.victim.tld, he asks ns1.victim.tld where to find the records for victim.tld - and ns1.victim.tld has a cached result that says to go to ns1.poisoner.tld's IP address, ''so that's where user niceguy looks next'', and then ns1.poisoner.tld directs user niceguy to wherever the [[black hat]] wants him to go.
  
Avoid DNS poisoning: make your authoritative servers non-recursive and run caching servers for your clients and make your slaves public (while keeping your authoritative server(s) stealth'd.
+
The good news is, DNS cache poisoning has been fixed (by refusing to cache query results coming from servers that aren't actually authoritative for the results they are giving) in BIND since 1997.  The bad news is, enough people are still running ancient legacy DNS services that there are still plenty of [[black hat]]s industriously trying to poison everything in sight just to see if it works.
 +
 
 +
Avoid DNS poisoning: don't run outdated DNS services, make your authoritative servers non-recursive, and where possible, limit public access to any caching DNS servers you run for you and/or your clients.
  
 
To learn more about poisoning, see Daniel J. Bernstein's article at http://cr.yp.to/djbdns/notes.html#poison
 
To learn more about poisoning, see Daniel J. Bernstein's article at http://cr.yp.to/djbdns/notes.html#poison

Revision as of 12:55, 23 May 2006

Contents

Your DNS network design

Ideally, the strongest layout consists of at least two DNS servers on two wholly seperate networks -- seperate physically and logically (different locations, different IP nets.) At least two, because really you'll probably want three -- two that people know about and one that people don't know about: your hidden master DNS server. So: make two slave DNS servers, point them to your authoritative nameserver, which for the sake of security should only allow updates TO your slaves and connections FROM your admin's IP addresses and the slave servers. If you can, make it a non-routeable address (10.0.0.0/8, 192.168/16, etc) that your slaves reach either directly or through a NAT'd firewall.

Do Not Pass Go, Do Not Collect 200$, Go Directly to Jail

Setting your DNS server inside a jail means that you're going to have a bit of a pain on the initial setup and install but you'll be that much more secure if your DNS server does get hacked. By placing just what it needs to run and nothing else in the jail, anyone that gets in will have a harder time doing anything with your server or to your network; no compilers means no binaries can be built on your system itself to give you a trojan: your would-be attackers would have to build the binaries somewhere else and copy them over and hope they work on your system. If you've got backups of your DNS data -- and you should, the slaves would essentially function as backups -- then even the dreaded rm -rf / inside your jail shouldn't be fatal: promote your slave to master for all your zones, rm -rf your jail directory and re-create it, make it a slave and copy your data over again by HUP'ing your server and you're good to go (you'll probably want to find out how they got in to do Bad Things so that it doesn't happen again, though).

Don't run as root

Make a dns account to run your nameserver from; block it from accessing the net over anything but UDP/TCP ports 53 (using ACLs or a firewall etc).

Use Views

Views are a feature of BIND 9, essentially it boils down to keeping two sets of data for a given zone and setting an ACL for each of them. So that internally, your network has a DNS server that has records for everymachine you want -- every single networked printer, router, switch, workstation and server, if you like -- and externally, only what needs to be accessible from the world has a record.

Don't rely on just network security or just host security: use both

Well, your network has a bastion host and it's protecting the whole network, including your DNS server, so why worry, right? Right. Maybe. Or Maybe Wrong. Maybe really wrong. In any case, better safe than sorry: recompile your FreeBSD kernel and include ipfw in it and set your firewall rules to just what you need: UDP/TCP 53 (DNS), TCP 22 (SSH), and possibly your webmin management port for your networks.

Poison is bad

DNS cache poisoning is one of many REALLY good reasons not to keep running ancient and outdated DNS services (like the BIND4 that shipped on those Sun servers your organization insists on maintaining for at least 30 more years). It works like this:

  1. First, a black hat registers a domain, poisoner.tld, and sets his own nameserver, ns1.poisoner.tld, as its authoritative nameserver.
  2. Then, he creates an NS record in his poisoner.tld zone file which tells anybody looking up poisoner.tld to look it up at your nameserver, ns.victim.tld.
  3. Here's the tricky part - now he creates an A record in his poisoner.tld zone file that says that your nameserver, ns.victim.tld, can be found at his own IP address.
  4. Finally, the stage is set: now, the black hat just asks your ns1.victim.tld to look up poisoner.tld. When ns1.victim.tld asks the root servers where to find the records for poisoner.tld, they tell it to ask ns1.poisoner.tld. Then when ns1.victim.tld asks ns1.poisoner.tld where to find poisoner.tld, it is told to look on ns1.victim.tld - and it's told that ns1.victim.tld's IP address is the same one for ns1.poisoner.tld. Since ns1.victim.tld caches query results to improve performance, it will now tell anyone who asks it that ns1.victim.tld is actually ns1.poisoner.tld.
  5. The end result: now, when user niceguy tries to go to www.victim.tld, he asks ns1.victim.tld where to find the records for victim.tld - and ns1.victim.tld has a cached result that says to go to ns1.poisoner.tld's IP address, so that's where user niceguy looks next, and then ns1.poisoner.tld directs user niceguy to wherever the black hat wants him to go.

The good news is, DNS cache poisoning has been fixed (by refusing to cache query results coming from servers that aren't actually authoritative for the results they are giving) in BIND since 1997. The bad news is, enough people are still running ancient legacy DNS services that there are still plenty of black hats industriously trying to poison everything in sight just to see if it works.

Avoid DNS poisoning: don't run outdated DNS services, make your authoritative servers non-recursive, and where possible, limit public access to any caching DNS servers you run for you and/or your clients.

To learn more about poisoning, see Daniel J. Bernstein's article at http://cr.yp.to/djbdns/notes.html#poison

To see if you can be poisoned, see http://ketil.froyn.name/poison.html

External Links

[O'Reilly's BIND book's security chapter]

[Hardening BIND 8]

[Hardening BIND 9]

[Info on chroot'ing]

[Implementing Views in BIND 9, by Cricket Liu]. Thumbing through O'Reilly's DNS & BIND book is highly recommended -- Cricket Liu quite literally wrote the book on DNS.


BIND (installing)

BIND (configuring)

BIND (managing)

Personal tools