LPI Linux Certification/Securing A DNS Server

Detailed Objectives (207.3)
(LPIC-2 Version 4.5)

Weight: 3

Description: Candidates should be able to configure a DNS server to run as a non-root user and run in a chroot jail. This objective includes secure exchange of data between DNS servers.

Key Knowledge Areas:
 * BIND 9 configuration files
 * Configuring BIND to run in a chroot jail
 * Split configuration of BIND using the forwarders statement
 * Configuring and using transaction signatures (TSIG)
 * Awareness of DNSSEC and basic tools
 * Awareness of DANE and related records

Terms and Utilities:
 * DNSSEC
 * DNSSEC
 * DNSSEC

Securing a DNS server
First of all, check security mailing lists and web sites for new versions of BIND. Particularly, versions prior to 8.2.3 are vulnerable to known attacks.

Hide your version number from foreign queries – it could be used to craft a special attack against you. Since BIND 8.2, you may use in named.conf:

options { version « None of your business »; };

You can also restrict queries : Globally :

options { allow-query { address-match-list; }; };

Or per-zone (which take precedence over global ACLs) :

zone « test.com » { type slave; file « db.test »; allow-query { 192.168.0.0/24; }; };

Even more important, make sure only real slave DNS can transfer your zones from your master. Use the keyword allow-transfer : Globally (in an « options » statement), applies to all zones Per-zone On the slaves, disable zone transfers! Use « allow-transfer { none; }; »

Don't run BIND as root ! Since 8.1.2, there are options to change the user (-u ) and group (-g) under which BIND runs. Use a non-privileged user (i.e. create a new one, without shell access). Make sure your zone files have their correct permission (named.conf is read while BIND is still under root's permissions, so don't change this file's permissions)

Also, run bind in a chroot jail. Since 8.1.2, there is option -t to specify the directory for the nameserver to chroot to. Make sure all the files needed by BIND (i.e log files, etc..) are under the root-jail If you plan to use ndc with a chroot'ed BIND, don't forget to pass the new pathname to the UNIX socket to ndc !

Here's a little bit on how to setup a chrooted bind9 environment in Debian. As the configuration in bind9 is very similar, the same procedure applies to bind8 for creating a chrooted environment. /etc/init.d/bind9 stop OPTIONS="-u bind -t /var/lib/named" SYSLOGD="-a /var/lib/named/dev/log" mkdir /var/lib/named mkdir -p /var/lib/named/var/run/bind/run mkdir /var/lib/named/etc mkdir /var/lib/named/dev mkdir /var/lib/named/var/cache mv /etc/bind /var/lib/named/etc/bind ln -s /var/lib/named/etc/bind /etc/bind chown -R bind:bind /var/lib/named/var/* chown -R bind:bind /var/lib/named/etc/bind mknod /var/lib/named/dev/null c 1 3 mknod /var/lib/named/dev/random c 1 8 chown 666 /var/lib/named/dev/random /var/lib/named/dev/null /etc/init.d/sysklogd restart /etc/init.d/bind9 start
 * Stop the currently running bind.
 * In order to chroot bind in a jail, we need to specify what environment in /etc/default/bind9:
 * We still want logging in our /var/log/syslog, so we change /etc/default/syslogd that it opens an extra socket to which the chrooted bind can log through into /var/log/syslog.
 * Run a couple of mkdir's for the environment
 * Move over our existing config
 * Link it
 * Change ownership in the chrooted var and etc
 * Create some devices & set permissions
 * Restart syslogd & start bind

If bind does not start and there are error messages in the syslog, keep in mind that these messages where created from inside the chrooted domain, hence a permission problem about /var/run/bind/run/named.pid would mean that it is really a problem about /var/lib/named/var/run/bind/run/named.pid

Key terms, files and utilities : SysV init files /etc/named.conf /etc/passwd