Mar 12, 2012

Setting up BIND to secure DNS with DNSSEC (I)

DNSSEC stands for Domain Name System Security Extensions. From the acronym, we ought to figure out that basically, this extension takes care of adding security to the DNS protocol.

When the DNS protocol came out, like most of the initial protocols of Internet, it was not designed by taking into account the security. Over time, the DNS protocol has become one of the biggest risks related to security. We only have to remember the series of articles about ARP poisoning (I, II and III).

DNSSEC allows zones to be verified by signing them with a zone key. Thus, the information about a specific zone can be authenticated as coming from a nameserver which has signed it with a concrete private key, as long as the client has the nameserver's public key.

How does DNSSEC work? Signs all zone records with the same name and type by using a Zone Signing Key (ZSK). This process turns out a signature which is stored in a RRSIG (Resource Record Signature) record. In turn, the public part of the ZSK is a DNSKEY (DNS Public Key) record. Afterwards, ZSK will be signed by other different key known as KSK (Key Signing Key). KSK is also stored in a DNSKEY record.

So in this way, we will be able to use DNSSEC to check DNS secure results (from a signed zone validated correctly), insecure results (from an unsigned zone), and fake results (signature fails when is validated or zone is unsigned but parent says which should be signed).

Let's get started by configuring a simple zone called test.local on a CentOS 6.2 server. To begin with, we are going to install BIND (version 9.7.3) and define our zone in the configuration file. The type of zone will be master, that is, it designates the nameserver as authoritative for this zone.

[root@dns ~]# hostname
dns.test.local

[root@dns ~]# yum install bind

[root@dns ~]# cat /etc/named.conf
...
options {
    listen-on port 53 { any; };
...
    allow-query     { localhost; localnets; };
...
};

zone "test.local" IN {
    type master;
    file "test.local/test.local.zone";
};

Then we have to create the zone file. As commented before, it will be a simple file with an unique address record specifying the IP of the server (192.168.183.130).

[root@dns ~]# mkdir /var/named/test.local

[root@dns ~]# cat /var/named/test.local/test.local.zone
; Zone name
$ORIGIN test.local.

; Default Time to Live (TTL)
$TTL    86400

; Start Of Authority resource record
; (serial-number time-to-refresh time-to-retry time-to-expire minimum-TTL)
@       IN SOA dns.test.local. admin.test.local. (1 6H 1H 1W 1D)

; NameServer record (announces the authoritative nameserver for a particular zone)
        IN NS  dns.test.local.

; Address record (specifies an IP address to assign to a name)
dns     IN A   192.168.183.130

So far, this is the normal behavior of a DNS server without authenticating its zones. If you restart the BIND service right away, you could use it as a normal DNS server. Next week, I will end up by setting the configuration for DNSSEC.

[root@dns ~]# /etc/init.d/named restart


No comments:

Post a Comment