Paranoid Penguin - DNS Cache Poisoning, Part II: DNSSEC Validation

If you already have a caching-only nameserver (or a general-purpose nameserver that also caches), and you need to know only how to set up DNSSEC validation, you can skip ahead to the Setting Up DNSSEC Validation section below. In the interest of completeness, however, and for the purpose of pointing out a few default settings it's good to change, here's a quick procedure on setting one up.

First, install whatever (sub-)version of BIND9 your distribution supports. At the time of this writing, Ubuntu 10.10 includes BIND version 9.7.1; to install it, use this command:

sudo apt-get install bind9 bind9utils

The bind9 package provides BIND 9.7.1 itself in the form of the dæmon named, plus its configuration files, man pages and libraries. The bind9utils package provides handy commands, such as rndc and named-checkconf, and the DNSSEC commands dnssec-keygen and dnssec-signzone. Those last two are used only for creating and maintaining actual DNSSEC zone keys and signatures, respectively. You won't actually need those if all you're doing with DNSSEC is validating signatures from other zones.

On Debian and Ubuntu systems, the bind9 package places its configuration files in /etc/bind. The files we're concerned with here are /etc/bind/named.conf, /etc/bind/named.conf.options and /etc/bind/bind.keys.

Actually, of those three files, we'll edit only one, named.conf.options. I mention the other two in order to point out that named.conf uses “include” statements to pull content from /etc/bind/named.conf.options, /etc/bind/named.conf.local (which contains your local zone files) and /etc/bind/named.conf.default-zones (which contains default zone information for local loopback interfaces).

At this point, I have good news for you: your Debian or Ubuntu system's named.conf.options file is, technically, already set up to run named as a caching-only nameserver. The bad news is, it needs to be tightened up a bit before you can consider it to be a secure caching nameserver.

Listing 1 shows the default Debian/Ubuntu named.conf.options file (with comment lines omitted).

options {
	directory "/var/cache/bind";
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
};

Listing 2, in contrast, is much more secure.

acl mynetworks { 192.168.100.0/24; 10.10.0.0/16; };
options {
        directory "/var/cache/bind";
        allow-query { mynetworks; };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

Let's discuss why Listing 2 is better. First, I've defined an Access Control List (ACL) that specifies two IP networks in “CIDR notation”. Technically, this is not an option, but it needs to be loaded before any option statements, so it needs to go either here or in named.conf prior to this line:

include "/etc/bind/named.conf.options";

In and of itself, this acl doesn't do anything. But once it's defined, I can create an “allow-query” option that refers to it, and as you can see in Listing 2, that's exactly what I've done. Obviously, in adapting this file for your own use, you should replace the list in my acl statement (“192.168.100.0/24; 10.10.0.0/16;”) with a list of your organization's local IP subnets.

The other security tweak I've made is to change the value for the “listen-on-v6” option from “any” to “none”. Because none of my local subnets use IPv6, there's no reason to listen on any local IPv6 interfaces. Technically, this shouldn't matter if I don't even have any IPv6 interface attached to my server and if I've set an acl and specified it in an allow-query statement. So, maybe I'm just being paranoid by turning off IPv6 altogether here, but turning off unused features is nearly always a good thing to do.

Once you've edited and saved your /etc/bind/named.conf.options file, you can check your work by running the named-checkconf command with no arguments, like so:

bash-$ sudo named-checkconf

Assuming that doesn't return any configuration errors (I have a tendency to misplace or omit semicolons, myself), you then can make your running named process reload its configuration and zone files using the rndc command, like this:

bash-$ sudo rndc reload

Now, you can test your server by logging on to some other host on your network and running a dig query or two against it. For example, if my caching nameserver's IP address is 192.168.100.253, I can have it look up DNS information for www.linuxjournal.com like so:

mick@someotherhost:/home/mick$ dig @192.168.100.253 
 ↪www.linuxjournal.com

You can, of course, simply configure your client system to use your caching nameserver as its default nameserver, in which case you can omit the @192.168.100.253 in the above command. But, you probably don't want to do that until you're sure it works.

If it doesn't work, make sure your client system's IP address falls into one of the IP networks you specified in any acls you've set in /etc/bind/named.conf.options, as I described earlier.

At this point, your caching-only nameserver is up and working properly. Now you can configure DNSSEC validation.