Paranoid Penguin - DNS Cache Poisoning, Part II: DNSSEC Validation

Configure your DNS server to check zone signatures using DNSSEC.
Setting Up a Caching Server

If you already have a caching-only nameserver (or a general-purpose nameserver that also caches), and you need to know only how to set up DNSSEC validation, you can skip ahead to the Setting Up DNSSEC Validation section below. In the interest of completeness, however, and for the purpose of pointing out a few default settings it's good to change, here's a quick procedure on setting one up.

First, install whatever (sub-)version of BIND9 your distribution supports. At the time of this writing, Ubuntu 10.10 includes BIND version 9.7.1; to install it, use this command:

sudo apt-get install bind9 bind9utils

The bind9 package provides BIND 9.7.1 itself in the form of the dæmon named, plus its configuration files, man pages and libraries. The bind9utils package provides handy commands, such as rndc and named-checkconf, and the DNSSEC commands dnssec-keygen and dnssec-signzone. Those last two are used only for creating and maintaining actual DNSSEC zone keys and signatures, respectively. You won't actually need those if all you're doing with DNSSEC is validating signatures from other zones.

On Debian and Ubuntu systems, the bind9 package places its configuration files in /etc/bind. The files we're concerned with here are /etc/bind/named.conf, /etc/bind/named.conf.options and /etc/bind/bind.keys.

Actually, of those three files, we'll edit only one, named.conf.options. I mention the other two in order to point out that named.conf uses “include” statements to pull content from /etc/bind/named.conf.options, /etc/bind/named.conf.local (which contains your local zone files) and /etc/bind/named.conf.default-zones (which contains default zone information for local loopback interfaces).

At this point, I have good news for you: your Debian or Ubuntu system's named.conf.options file is, technically, already set up to run named as a caching-only nameserver. The bad news is, it needs to be tightened up a bit before you can consider it to be a secure caching nameserver.

Listing 1 shows the default Debian/Ubuntu named.conf.options file (with comment lines omitted).

Listing 2, in contrast, is much more secure.

Let's discuss why Listing 2 is better. First, I've defined an Access Control List (ACL) that specifies two IP networks in “CIDR notation”. Technically, this is not an option, but it needs to be loaded before any option statements, so it needs to go either here or in named.conf prior to this line:

include "/etc/bind/named.conf.options";

In and of itself, this acl doesn't do anything. But once it's defined, I can create an “allow-query” option that refers to it, and as you can see in Listing 2, that's exactly what I've done. Obviously, in adapting this file for your own use, you should replace the list in my acl statement (“192.168.100.0/24; 10.10.0.0/16;”) with a list of your organization's local IP subnets.

The other security tweak I've made is to change the value for the “listen-on-v6” option from “any” to “none”. Because none of my local subnets use IPv6, there's no reason to listen on any local IPv6 interfaces. Technically, this shouldn't matter if I don't even have any IPv6 interface attached to my server and if I've set an acl and specified it in an allow-query statement. So, maybe I'm just being paranoid by turning off IPv6 altogether here, but turning off unused features is nearly always a good thing to do.

Once you've edited and saved your /etc/bind/named.conf.options file, you can check your work by running the named-checkconf command with no arguments, like so:

bash-$ sudo named-checkconf

Assuming that doesn't return any configuration errors (I have a tendency to misplace or omit semicolons, myself), you then can make your running named process reload its configuration and zone files using the rndc command, like this:

bash-$ sudo rndc reload

Now, you can test your server by logging on to some other host on your network and running a dig query or two against it. For example, if my caching nameserver's IP address is 192.168.100.253, I can have it look up DNS information for www.linuxjournal.com like so:

mick@someotherhost:/home/mick$ dig @192.168.100.253 
 ↪www.linuxjournal.com

You can, of course, simply configure your client system to use your caching nameserver as its default nameserver, in which case you can omit the @192.168.100.253 in the above command. But, you probably don't want to do that until you're sure it works.

If it doesn't work, make sure your client system's IP address falls into one of the IP networks you specified in any acls you've set in /etc/bind/named.conf.options, as I described earlier.

At this point, your caching-only nameserver is up and working properly. Now you can configure DNSSEC validation.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix