Securing BIND 9

Securing BIND 9









Aditya Newalkar

What?

 “BIND (Berkeley Internet Name Domain) is an

implementation of the Domain Name System (DNS)

protocols”

 DNS protocol is mechanism to translate IP to Domain

Names and vice versa

 DNS is necessary if you,

– are connected to Internet…

– have a UUCP connection to a host on the Internet...

– have your own TCP/IP-based internet...

– have your own local area network or site network...

 We attempt to get insight of some hardening measures

for BIND software

Why?

 BIND seen as Top 10 Vulnerabilities by sans.org

 Many servers running misconfigured, vulnerable

versions of BIND

 Popular attacks:

– DOS,

– buffer overflow,

– man-in-the-middle,

– DNS spoofing

 Effects:

– Executing arbitrary code,

– “a single compromised machine may provide a platform for malicious

activity targeting other machines on the Internet, or be used as a

repository of illicit material without the administrator's knowledge”.

How?

 Use secured alternatives

– nsd (authoritative only)

– djbdns

 Avoid single point of failure

 Use dedicated DNS server else disable unnecessary

services

 Use “split service” name servers

 Run BIND as non-root user,

 Install latest version of BIND from http://www.isc.org

(Internet Software Consortium)

 Make use of security related features while writing

configuration scripts. Use hardened configurations.

Installation of BIND



 Our Environment

– heman.brounlab.edu 192.168.1.9

 RedHat 7.0

 Kernel version 2.2

 Static IP

– teela.brounlab.edu 192.168.1.2

 RedHat 7.3

 Kernel version 2.2

 Static IP

– Connected over hub

Steps Involved



 Download and unpack source from isc.org

 Configure and build

 Create the jail

 Create the configuration files

 Daemon control with rndc

 Starting named at boot time

….simple isn’t it?

Download and Unpack Source



 Download from latest source tarball from

http://www.isc.org/products/BIND/bind9.html

 Unpack the source in

/usr/local/redhat/SOURCES/

# tar –zxvf bind9.2.2.tar.gz

Configure and Build



 Configure without threads and without ipv6 support:

# ./configure - -disable-ipv6 - -disable-threads

# make

# make install*



(wait for 5 minutes…)

(*chroot-BIND howto doesn’t mention this step)

Create Jail

 Add a line something like the following to /etc/passwd:

# named:x:200:200:Nameserver:/chroot/named:/bin/false

 And one like this to /etc/group:

# named:x:200:

 Create directory structure

/opt

+-- named

+-- dev

+-- etc

| +-- namedb

| +-- slave

+-- var

+-- run

Create Jail…



 Check the major and minor numbers

# ls -lL /dev/zero /dev/null /dev/random"

 Create the devices, but confirm the major/minor device

numbers with

# mknod dev/null c 1 3

# mknod dev/zero c 1 5

# mknod dev/random c 1 8

 Copy the timezone file

# cp /etc/localtime etc

Configuration files

 Main Configuration File

– named.conf

 Database files

– db.127.0.0

– db.192.168.1

– db.brounlab.edu

 Daemon Control and Transaction Authorization (TSIG)

configuration

– rndc.conf

– rndc.key

 Name Server Resolution

– resolv.conf

Construct the Config Files



 Creating TSIG Transaction Signature

# cd /opt/named/etc

# /usr/local/sbin/dnssec-keygen -a HMAC-MD5 -b 256 -n ZONE

brounlab.edu

>>Kbrounlab.edu.+157+13856

# cat Kbrounlab.edu.+157+13856.private

>>Private-key-format: v1.2

>>Algorithm: 157 (HMAC_MD5)

>>Key: hU9utBAdP6/dVKKfxOlv0bPOTnAd4A1qosMbs/dwVJI=

# rm Kbrounlab.edu.+157+13856.*

Config Files…

 Main Configuration File

– Contains the options that control the overall behavior of the

BIND name server

– Zone information, Security Related Features, syslog channels,

 Database File Sections

– Contain domain information

– Authority Section

– Name Server Section

– Address and Alias Section

 “dots” and “spaces”

It doesn’t work…



 Check symptoms

– /var/log/messages. Don’t ignore any warning/error

 Get Help

– DNS & BIND - By Cricket Liu & Paul Albitz; Third Edition: September

1998; O’Reilly Publications

– Building and Running BIND 9 – Internet Documentation

http://www.unixwiz.net/techtips/bind9-chroot.html

– DNS HOWTO - http://www.tldp.org/HOWTO/DNS-HOWTO.html

– comp.protocols.dns.bind – USENET newsgroup available through

google or auburn university

– Miscellaneous references listed at the end of presentation

Security Features of BIND



 Restricting usage with Access Control List (acl

tag)

– Permissions of chroot directory

– Restricted name servers allowed to do zone transfer

– Restricted hosts can connect

– Bogon networks that are used for testing purposes

are denied access to

– Disable recursive query

– Extensive logging facility

References

 Authoritative References:

– DNS & BIND: By Cricket Liu & Paul Albitz; Third Edition:

September 1998; O’Reilly Publications

– comp.protocols.dns.bind: USENET newsgroup

– BIND Mailing Lists: hosted by isc.org

 Internet References:

– Knowledgebase compiled by Cricket Liu:

http://www.menandmice.com

– DNS HOWTO:

http://www.tldp.org/HOWTO/DNS-HOWTO.html

– Building and Running BIND 9:

http://www.unixwiz.net/techtips/bind9-chroot.html