Paranoid Penguin - DNS Cache Poisoning, Part II: DNSSEC Validation

Configure your DNS server to check zone signatures using DNSSEC.
Setting Up a Caching Server

If you already have a caching-only nameserver (or a general-purpose nameserver that also caches), and you need to know only how to set up DNSSEC validation, you can skip ahead to the Setting Up DNSSEC Validation section below. In the interest of completeness, however, and for the purpose of pointing out a few default settings it's good to change, here's a quick procedure on setting one up.

First, install whatever (sub-)version of BIND9 your distribution supports. At the time of this writing, Ubuntu 10.10 includes BIND version 9.7.1; to install it, use this command:

sudo apt-get install bind9 bind9utils

The bind9 package provides BIND 9.7.1 itself in the form of the dæmon named, plus its configuration files, man pages and libraries. The bind9utils package provides handy commands, such as rndc and named-checkconf, and the DNSSEC commands dnssec-keygen and dnssec-signzone. Those last two are used only for creating and maintaining actual DNSSEC zone keys and signatures, respectively. You won't actually need those if all you're doing with DNSSEC is validating signatures from other zones.

On Debian and Ubuntu systems, the bind9 package places its configuration files in /etc/bind. The files we're concerned with here are /etc/bind/named.conf, /etc/bind/named.conf.options and /etc/bind/bind.keys.

Actually, of those three files, we'll edit only one, named.conf.options. I mention the other two in order to point out that named.conf uses “include” statements to pull content from /etc/bind/named.conf.options, /etc/bind/named.conf.local (which contains your local zone files) and /etc/bind/named.conf.default-zones (which contains default zone information for local loopback interfaces).

At this point, I have good news for you: your Debian or Ubuntu system's named.conf.options file is, technically, already set up to run named as a caching-only nameserver. The bad news is, it needs to be tightened up a bit before you can consider it to be a secure caching nameserver.

Listing 1 shows the default Debian/Ubuntu named.conf.options file (with comment lines omitted).

Listing 2, in contrast, is much more secure.

Let's discuss why Listing 2 is better. First, I've defined an Access Control List (ACL) that specifies two IP networks in “CIDR notation”. Technically, this is not an option, but it needs to be loaded before any option statements, so it needs to go either here or in named.conf prior to this line:

include "/etc/bind/named.conf.options";

In and of itself, this acl doesn't do anything. But once it's defined, I can create an “allow-query” option that refers to it, and as you can see in Listing 2, that's exactly what I've done. Obviously, in adapting this file for your own use, you should replace the list in my acl statement (“;;”) with a list of your organization's local IP subnets.

The other security tweak I've made is to change the value for the “listen-on-v6” option from “any” to “none”. Because none of my local subnets use IPv6, there's no reason to listen on any local IPv6 interfaces. Technically, this shouldn't matter if I don't even have any IPv6 interface attached to my server and if I've set an acl and specified it in an allow-query statement. So, maybe I'm just being paranoid by turning off IPv6 altogether here, but turning off unused features is nearly always a good thing to do.

Once you've edited and saved your /etc/bind/named.conf.options file, you can check your work by running the named-checkconf command with no arguments, like so:

bash-$ sudo named-checkconf

Assuming that doesn't return any configuration errors (I have a tendency to misplace or omit semicolons, myself), you then can make your running named process reload its configuration and zone files using the rndc command, like this:

bash-$ sudo rndc reload

Now, you can test your server by logging on to some other host on your network and running a dig query or two against it. For example, if my caching nameserver's IP address is, I can have it look up DNS information for like so:

mick@someotherhost:/home/mick$ dig @ 

You can, of course, simply configure your client system to use your caching nameserver as its default nameserver, in which case you can omit the @ in the above command. But, you probably don't want to do that until you're sure it works.

If it doesn't work, make sure your client system's IP address falls into one of the IP networks you specified in any acls you've set in /etc/bind/named.conf.options, as I described earlier.

At this point, your caching-only nameserver is up and working properly. Now you can configure DNSSEC validation.


White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState