Agenda: 03-dns-acl-tsig-transfer-security.txt

File 03-dns-acl-tsig-transfer-security.txt, 4.7 KB (added by Andy Linton, 6 years ago)
Line 
1BIND TRANSFER SECURITY
2----------------------
3
4We're going to limit zone transfer of your zones so that only
5your secondary/slave nameservers are allowed to request copies
6of the zones.
7
8ACL based security
9------------------
10
11To start with, we'll enable IP based ACLs -- on the AUTH1 host:
12
131. Start by editing /etc/namedb/named.conf, and in the "options" section,
14   let's define who is allowed to transfer your zone.
15
16   allow-transfer { 127.0.0.1; ::1; YOUR_OWN_IP; myslaves; };
17
18   ... replace "YOUR_OWN_IP" with the IP of your machine :)
19
20   Now we need to define the ACL "myslaves".  To do so, AFTER the options
21   section (find the '};' symbol at the end of the section), add something
22   similar to this:
23
24   (If the slaves for your "MYTLD" domain are auth2.grp25 and auth2.grp26, for example)
25
26acl myslaves { 10.10.25.2; 10.10.26.2; }; // ACL with IP of Group25 slave servers
27
28        This means "myslaves is an ACL consisting of the IPs 10.10.25.2 and 10.10.26.2.
29
30        NOTE: remember to enter the correct values! You must write the IP
31        of the machines who are your secondaries in the class - remember !
32
332. Restart named
34
35        $ sudo service named restart
36
373. Make sure that you didn't break the zone transfer, by getting your
38   slave partners to run a zone transfer against YOUR machine.
39
40   From those servers:
41
42   $ dig @auth1.grpX.dns.nsrc.org MYTLD axfr
43
44   Make sure that it still works.
45
464. Now try and ask someone else in the class whose server is NOT in the
47   ACL to try the same axfr command as above.
48
49   Q: Do they succeed ?
50
51   Q: What do you see in the logs in /etc/namedb/log/general ?
52      What do you see in the logs in /etc/namedb/log/transfers ?
53
54TSIG KEY based security
55-----------------------
56
57Instead of using IP addresses, we'll now be using cryptographic keys
58to authenticate zone transfer -- this uses TSIG, a mechanism by which
59the communication between the master and slave server will be authenticated
60using this key.
61
621. Run:
63
64        $ cd /tmp/
65        $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST mydomain.key
66
67        You will see something similar to this:
68
69Kmydomain.key.+157+32373   (the last number will change)
70
71        Two files have been created:
72
73        $ ls -l K*
74
75Kmydomain.key.+157+32373.key
76Kmydomain.key.+157+32373.private
77
782. View the contents of the private key
79
80        $ cat Kmydomain.key.+157+32373.private
81
82        You will see something similar to:
83
84Private-key-format: v1.2
85Algorithm: 157 (HMAC_MD5)
86Key: tHTRSKKrmyGmPnzNCf2IRA==
87Bits: AAA=
88
89        ... the "Key:" is the important bit here, so copy
90        "tHTRSKKrmyGmPnzNCf2IRA==", but of course not the one above, the one
91        in YOUR file :)
92
93        We will use this in the next steps.
94
953.  Modify your named.conf
96
97        $ cd /etc/namedb/
98
99        Edit the file, and change the allow-transfer statement, so that it looks
100        like this:
101
102options {
103        ...
104        allow-transfer { 127.0.0.1; ::1; };  // myslaves is removed!
105        ...
106};
107
108        Note: We have removed "myslaves"
109
110        Now, after the options (or at the bottom of the file), add a new
111        declaration for the key
112
113key "mydomain-key" {
114        algorithm hmac-md5;
115        secret "tHTRSKKrmyGmPnzNCf2IRA=="; // Your REAL key goes here!
116
117};
118
119    Don't forget to replace "mydomain" by the name of your domain!
120
121        Change the definition for your zone:
122
123zone "MYTLD" {
124        type master;
125        file "/etc/namedb/master/mytld";
126
127        allow-transfer { key mydomain-key; };   // <-- Add this!
128};
129
130As you can see above, we've added an "allow-transfer" statement
131allowing transfer of the zone for holders of the "mydomain-key".
132
133Note: the allow-transfer is now placed INSIDE the zone definition,
134and not globally inside the options section -- BIND can control zone
135transfer either globally, or by zone. We could have chosen to allow
136transfers GLOBALLY (for all zones), by leaving the allow-transfer
137statement in the main "options" section.
138
1394. Restart named
140
141        $ sudo service named restart
142
1435. Try and make a zone transfer from ANOTHER machine -- ask your neighbors
144   to do:
145
146        $ dig @10.10.XX.1 MYTLD axfr
147
148        Look at /etc/namedb/log/general and /etc/namedb/log/transfers
149
150        Q: What do you notice ?
151
1526. Then, ask them to try again with the key:
153
154        $ dig @10.10.XX.1 axfr mydomain -y mydomain-key:tHTRSKKrmyGmPnzNCf2IRA==
155
156        Q: what happens now ?
157
158        Check the logs again, especially /etc/namedb/log/transfers
159
160
1617. Now, do the setup for your NSD "auth2" server
162
163        ... since you have disabled IP ACLs, your AUTH NSD server is not
164        able to get the zone!
165
166        Read the NSD manual page (man nsd.conf) if you are in doubt about
167        how to specify the key format in NSD for zone transfers. Update
168        update the "zone:" definition for MYTLD, so that it now uses
169        a KEY instead of NOKEY to transfer the zone from your MASTER (auth1).
170
171        After, you will need to run "nsdc restart".  Does the zone get
172        transferred ?  Remember to check the logs on the MASTER (auth1) as
173        well!