Agenda: dns-bind-transfer-security.txt

File dns-bind-transfer-security.txt, 4.6 KB (added by regnauld, 8 years ago)
Line 
1BIND TRANSFER SECURITY
2----------------------
3
4We're going to limit zone transfer of your zones so that only
5your secondary/slave nameservers are allowed to request copies
6of the zones.
7
8ACL based security
9------------------
10
11To start with, we'll enable IP based ACLs -- on the MASTER host:
12
131. Start by editing /etc/namedb/named.conf, and in the "options" section,
14   let's define who is allowed to transfer your zone.
15
16   allow-transfer { 127.0.0.1; ::1; myslaves; };
17
18   Now we need to define the ACL "myslaves".  To do so, AFTER the options
19   section (find the '};' symbol at the end of the section), add something
20   similar to this:
21
22   (If the slave for your "MYTLD" domain is master.grp25, for example)
23
24acl myslaves { 10.10.25.1; 10.10.X.3; }; // ACL with IP of Group25 master
25
26        This means "myslaves is an ACL consisting of the IP 10.10.25.1,
27        and your NSD secondary 10.10.25.3.
28
292. Restart named
30
31        # /etc/rc.d/named restart
32
333. Make sure that you didn't break the zone transfer by asking your
34   slave partner to run a zone transfer against YOUR machine.
35
36   From their server:
37
38   # dig @master.grpX.ws.nsrc.org MYTLD axfr
39
404. Now try and ask someone else who is NOT in the ACL to try the same
41   axfr command as above.
42
43   Q: Do they succeed ?
44   Q: What do you see in the logs in /etc/namedb/log/transfers ?
45
46
47KEY based security
48------------------
49
50Instead of using IP addresses, we'll now be using cryptographic keys
51to authenticate zone transfer -- this uses TSIG, a mechanism by which
52the communication between the master and slave server will be authenticated
53using this key.
54
551. Run:
56
57# cd /tmp/
58# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST mydomain.key
59
60        You will see something like:
61
62Kmydomain.key.+157+32373   (the last number will change)
63
64        Two files have been created:
65
66        # ls -l K*
67
68Kmydomain.key.+157+32373.key
69Kmydomain.key.+157+32373.private
70
712. View the contents of the private key
72
73        # cat Kmydomain.key.+157+32373.private
74
75        You will see something similar:
76
77Private-key-format: v1.2
78Algorithm: 157 (HMAC_MD5)
79Key: tHTRSKKrmyGmPnzNCf2IRA==
80Bits: AAA=
81
82        ... the "Key:" is the important here, so copy "tHTRSKKrmyGmPnzNCf2IRA=="
83        (not THIS one, the one in YOUR file :)
84
853.  Modify your named.conf
86
87        # cd /etc/namedb/
88
89        Edit the file, and change the allow-transfer statement, so that it looks
90        like this:
91
92options {
93        ...
94        allow-transfer { 127.0.0.1; ::1; };  // myslaves is removed!
95        ...
96};
97
98        Note: We have removed "myslaves"
99
100        Now, after the options (or at the bottom of the file), add a new
101        declaration for the key
102
103key "mydomain-key" {
104        algorithm hmac-md5;
105        secret "tHTRSKKrmyGmPnzNCf2IRA==";
106};
107
108        Change the definition for your zone:
109
110zone "MYTLD" {
111        zone "mytld" { type master; ... };
112
113        allow-transfer { key mydomain-key; };   // <-- Add this!
114};
115
116As you can see above, we've added an "allow-transfer" statement
117allowing transfer of the zone for holders of the "mydomain-key".
118
119Note that the allow-transfer is now placed INSIDE the zone definition,
120and not globally inside the options section -- BIND can control zone
121transfer either globally, or by zone.
122
1234. Restart named
124
125        # /etc/rc.d/named restart
126
1275. Try and make a zone transfer from ANOTER machine -- ask your neighbors:
128
129        # dig @10.10.XX.1 MYTLD axfr
130
131        Look at /etc/namedb/logs/general and /etc/namedb/logs/transfers
132
133        Q: What do you notice ?
134
1356. Try again with the key:
136
137        # dig @10.10.XX.1 axfr mydomain -y mydomain-key:tHTRSKKrmyGmPnzNCf2IRA==
138
139        Q: what happens now ?
140
141        Check the logs again, especially /etc/namedb/log/transfers
142
143
1447. On your slave:
145
146        Start by deleting the copy of the slave zone:
147
148        - Remove the zone from /etc/namedb/slave/MYTLD -- remember, this
149          is on the machine of your SLAVE partner
150
151        # rm /etc/namedb/slave/MYTLD
152
153        - Restart named
154       
155        # /etc/rc.d/named restart
156
157        Check that the zone is gone AND that the slave wasn't able to reload it.
158
159        Q: What do you see in the MASTER logs (transfers and general) ?
160        Q: What do you see in the SLAVE logs (transfers and general) ?
161
1628. Still on the SLAVE:
163
164Find the statement for the zone:
165
166zone "MYTLD" {
167        type slave;
168        masters { 10.10.XX.1; };
169        file "slave/mydomain.dns";
170};
171
172... and add the key, and a statement to tell which key to use
173when talking to "10.10.XXX.1" (the master):
174
175key mydomain-key {
176        algorithm hmac-md5;
177        secret "tHTRSKKrmyGmPnzNCf2IRA==";
178};
179server 10.10.XX.1 {
180        keys { mydomain-key; };
181};
182
1839. Restart named
184
185        # /etc/rc.d/named restart
186
187        On the SLAVE server:
188
189        Q: Is the zone "MYTLD" back in the slave/ directory ?
190        Q: What do you see in the MASTER logs (transfers and general) ?
191        Q: What do you see in the SLAVE logs (transfers and general) ?
192
193        Can you see a general benefit from using keys instead of IP ACLs ?
194