DNS RPZ Intro RPZ Overview Lecturer: Ron Aitchison dns@zytrax.com.

Slides:



Advertisements
Similar presentations
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Advertisements

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Web Server Administration
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Web Server Administration Chapter 4 Name Resolution.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
Module 3 DNS Types.
Advanced Module 3 Stealth Configurations.
New SA Training Topic 7: DNS and DHCP To implement the underlying basis for our organizations networking, we rely on two fundamental services  DNS – the.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
1 Objectives Discuss the basics of the Domain Name System (DNS) and its terminology Configure DNS clients Install a standard DNS server on Server 2008.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.
Objectives Discuss the basics of the Domain Name System (DNS) and its terminology Configure DNS clients Install a standard DNS server on Server 2008 Create.
Module 2 Zone Files. Objective Understand the idea of a zone and how it relates to a domain name understand zone file structure Understand the major Resource.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
CIS 192B – Lesson 2 Domain Name System. CIS 192B – Lesson 2 Types of Services Infrastructure –DHCP, DNS, NIS, AD, TIME Intranet –SSH, NFS, SAMBA Internet.
Linux Operations and Administration
Sample DNS configurations. Example 1: Master 'master' DNS and is authoritative for this zone for example.com provides 'caching' services for all other.
DNS - BIND9 Přednášející Vaše jméno. Master and caching name server options { directory "/var/named"; allow-transfer {“none”;}; }; zone "." { type hint;
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Web Server Administration Chapter 4 Name Resolution.
1 CMPT 471 Networking II DNS © Janice Regan,
Module 4 DNS Installation. DNS Software BIND (80+ %) Berkeley Internet Name Domain NSD (Name Server Daemon)
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
2/26/2003 Lecture 4 Computer System Administration Lecture 4 Networking Startup/DNS.
WHAT IS DNS??????????.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley Setting up an Authoritative Name Server.
1 Internet Service DNS & BIND OPS335 Seneca College of Applied Technology.
DNS Domain name server a server to translate IP aliases to addresses
Security Issues with Domain Name Systems
So You Inherited a DNS Server…
BIND Part 1 pschiu.
Geoff Huston APNIC March 2017
Created by : Ashish Shah, J.M.Patel College, Goregoan West
Module 8: Networking Services
Module 5: Resolving Host Names by Using Domain Name System (DNS)
Unix System Administration
IMPLEMENTING NAME RESOLUTION USING DNS
Configuring and Troubleshooting DNS
LINUX ADMINISTRATION 1
BIND Part 2 pschiu.
DNS and Bind Presenter David Wood
IIS.
Managing Name Resolution
RPZ Configuration DNS RPZ Configuration Lecturer: Ron Aitchison
NET 536 Network Security Lecture 8: DNS Security
Monitoring with logging
(DNS – Domain Name System)
What part of “NO” is so hard for the DNS to understand?
Presentation transcript:

DNS RPZ Intro RPZ Overview Lecturer: Ron Aitchison dns@zytrax.com

Copyright Zytrax, Inc. All rights reserved. RPZ Overview Resolver Enhancement Functionality triggered by response-policy statement in BIND configuration (named.conf) Selective Policy Triggers and Policy Actions defined in ‘standard’ zone files Zone files defined in zones clauses within BIND configuration (named.conf) Logging and response-policy as diagnostic aids RPZ Objective Override Query responses selectively (Policy Trigger) Selectively provide user defined responses to query results (white-lies) Policy Actions Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. RPZ Zone File Example $TTL 2h; $ORIGIN domain.example.com. @ SOA nsd.example.net. hostmaster.example.com ( 1 12h 15m 3w 2h) NS nsd.example.net. // out-of-zone no A/AAAA RR required ; begin RPZ RR definitions ; QNAME Policy Trigger Local-Data Policy Action ; sends to a local website ; kills whole domain example.org CNAME explanation.example.com. *.example.org CNAME explanation.example.com. ; IP Policy Trigger DROP Policy Action ; any answer containing IP range (192.168.254/24) 24.0.254.168.192.rpz-ip CNAME rpz-drop. Copyright Zytrax, Inc. All rights reserved.

RPZ Zone File Data Generation Acquire and reformat existing lists (squidblacklists?) Quickest and cheapest solution Multiple categories Updated lists can be handled by selective zone reload (no restart) Single Policy Trigger (qname) with one or more Policy Actions Lists lag discovery Limited differentiation and value added Policy Triggers offer powerful (aggressive) features RPZ zones can anticipate discovery Potential collateral effects In-house effort Selective implementation Business Opportunity Zone file distribution (Master/Slave) Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. RPZ User Selection Limit Options Existing lists have ~20 categories (permutations are factorial) 5 or 6 viable options or sets Multiple DNS servers Potentially expensive (multiple VMs) Configuration is entirely user change (IP Address of DNS service) Single Server using view clauses Rewrite match-clients statement on user selection (BIND restart) No user configuration change Both methods allow progressive migration Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. DNS RPZ Intro BIND Configuration Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. Module Objectives Introduction to BIND's configuration file named.conf Format and layout Clauses and Statements named.conf major Clauses named.conf Statements overview view Clause zone Clause logging Clause Open and Closed Resolver Configuration Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND Configuration named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located - BSD: /usr/local/etc/named.conf Located – Windows: C:\Program Files\ISC BIND 9\etc\named.conf Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND named.conf Contains 3 types of info: Comments Clauses – collections of statements Statements – individual statements within clauses Include – in-situ inclusion from separate files (used for admin/security) Copyright Zytrax, Inc. All rights reserved.

BIND – named.conf Comments /* C-style comment format needs opening and closing markers ** but allows multiple lines or */ /* single lines or */ zone /* in-line comment */ in {some zone statements}; // C++-style comments have single line format, no closing required ...some statement; // comment ends this line # SHELL/PERL-style comments are single lines, no closing required some statement; # comment ends this line Copyright Zytrax, Inc. All rights reserved.

BIND – named.conf Clauses ACL – Access Control Lists Controls – remote acces (rndc) Logging – controls logging features Options – global options View – allows separate configurations in same server Zone – defines the zones that are supported Key – used for security data (typically included) Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND - Statements Over 120 statements available Many valid in one or more clauses Some valid in only single clauses Pro DNS and BIND classifies them: Transfer Query Operations Security Copyright Zytrax, Inc. All rights reserved.

BIND – Typical named.conf // change log // 1. changed by M.E. on 24th January acl "name" {... // acl clauses if present generally come first // to avoid forward references }; key "name" {... // key clauses if present must appear // before being referenced logging { // requires at least a file // statement unless using syslog // order not important with BIND 9 options { // other statements (as required) // zone clauses including 'required' zones zone { .... Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND – View named.conf options { // global options // other statements as required }; view "first" { // view specific statements (options) // view specific zone clauses // including required zones zone { ..... }; // end of view "first" view "second" { }; // end of view "second" Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND – View Clause Each view clause is matched to incoming queries using: Match-clients Match-destinations Match-recursion-only View clause order is important Tested in order in which views are defined Unmatched fall through to next view clause Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND – View Clause Use Mixed Local/public IPs External – public hosts Internal – local hosts Mixed services Internal caching External Authoritative RPZ – User Policy Selection Match-clients to set of RPZ zone files Split horizons different IPs to different sources Copyright Zytrax, Inc. All rights reserved.

BIND – view clause match statements match-clients { address_match_element; ... }; match-clients { 10.2.3.0/8;172.16.30.0/16;!192.168.0.0/16; }; match-destinations { address_match_element; ... }; match-destinations { 192.168.0.3; }; match-recursive-only (yes | no); match-recursive-only yes; Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND – Match combined // named.conf fragment view "recursive-external" { match-clients {!10.2.3.4/24;}; match-recursive-only yes; // other view statements zone "example.com" in { .... }; Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND Logging default - syslog (*nix) or MS Events logging clause is very powerful (complex!) Single or multiple files (channels) type of output (category) severity of message Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND Logging Clause logging { [ channel channel_name { ( file path name [ versions ( number | unlimited ) ] [ size size_spec ] | syslog syslog_facility | stderr | null ); [ severity (critical | error | warning | notice | info | debug [ level ] | dynamic ); ] [ print-category yes | no; ] [ print-severity yes | no; ] [ print-time yes | no; ] }; ] [ category category_name { channel_name ; [ channel_name ; ... ] ... }; Copyright Zytrax, Inc. All rights reserved.

BIND RPZ Logging Example // log to /var/log/named/default.log all events from // info UP in severity (no debug) // uses 3 files in rotation swaps files when size reaches 250K logging{ channel default_log{ file "/var/log/named/default.log" versions 3 size 250k; severity info; }; channel named-rpz { // change path as appropriate file "/var/named/rpz.log" versions 3 size 250k; category rpz{ named-rpz; category default{ default_log; Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND – zone Clause Defines the zones to be supported Authoritative zones Root-server zone (hints) RPZ Zones Special zones Loopback address (forward/reverse) Local IPs (RFC 1918 - reverse map) IPv4/Ipv6 as required Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND – Required zones Resolver (Caching Name Server) Root-servers (hints) Loopback (forward/reverse) Local IPs (IPv4/IPv6) RPZ zones Authoritative DNS Zones supported Maybe Loopback (forward/reverse) Copyright Zytrax, Inc. All rights reserved.

BIND – Resolver (caching) zones // required zone for recursive queries zone "." { type hint; file "root.servers"; }; // required local host domain zone "localhost" in{ type master; file "master.localhost"; allow-update{none;}; // localhost reverse map zone "0.0.127.IN-ADDR.ARPA" in{ file "localhost.rev"; // reverse map for local address at example.com // uses 192.168.254.0 for illustration zone "254.168.192.IN-ADDR.ARPA" in{ file "view/192.168.254.rev.internal"; Copyright Zytrax, Inc. All rights reserved.

BIND – Authoritative zones // required zone for authoritative queries zone "example.com" { type master; // private zone files including local hosts file "master.example.com"; allow-update{none;}; }; // required local host domain zone "localhost" in{ file "master.localhost"; // localhost reverse map zone "0.0.127.IN-ADDR.ARPA" in{ file "localhost.rev"; Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. RPZ and rndc rndc is remote management tool for BIND rndc addzone zone [class [view]] config Enabled by allow-new-zones yes; statement rndc delzone [-clean] zone [class [view]] rndc modzone zone [class [view]] config rndc reconfig Reload named.conf and add new zones but not existing zones rndc reload zone [class [view]] rndc reload Reload named.conf and all zones rndc refresh zone [class[view]] DNSSEC command Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. RPZ Statements response-policy statement in-view statement Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. in-view Statement in-view viewname zone clause only Allows single instance of zone file to be shared by multiple views Shared zone must be defined first (backward reference only) BIND 9.11 (latest) indicates that it cannot be used as an RPZ zone Copyright Zytrax, Inc. All rights reserved.

RPZ response-policy Statement Global or view based statement Triggers RPZ functionality Essentially diagnostic Copyright Zytrax, Inc. All rights reserved.

RPZ response-policy Statement response-policy { zone zone-name [ policy (given|disabled|passthru|drop|nxdomain|nodata|tcp-only| cname domain-name) [ recursive-only yes_or_no ] [ max-policy-ttl number ] ; } [ recursive-only yes_or_no ] [ max-policy-ttl number ] [ break-dnssec yes_or_no ] [ min-ns-dots number ] [ qname-wait-recurse yes_or_no ] ; # example response-policy {zone "dontlike" ; zone "likeless" policy disabled;} recursive-only yes; Copyright Zytrax, Inc. All rights reserved.

RPZ response-policy Statement zone – up to 32 zones supported Parameters may be applied to zone (within braces braces) or globally (outsize zone braces) policy given – (default) use policy defined in zone file disable – disable but log (to rpz category) all policy actions passthru, nxdomain, tcp-only, drop, nodata, cname name – override all Policy Actions in zone file(s) with defined action Copyright Zytrax, Inc. All rights reserved.

RPZ response-policy Statement recursive-only yes|no Yes - apply to recursive queries (from client), no – apply to all queries (Iterative and Recursive) max-policy-ttl seconds By default RPZ responses are cached for 5 seconds Statement can be used to increase to any defined value Excessive values can slow up propagation of RPZ zone file changes break-dnssec yes|no yes – applies RPZ to dnssec (signed zones), no – (default) do not apply RPZ to signed zones Copyright Zytrax, Inc. All rights reserved.

RPZ response-policy Statement min-ns-dots number Defines minimum number of dots in qname before RPZ invoked (default is 1) example.com, mail.example.com will invoke RPZ by default, but com will not (min-ns-dots 0) qname-wait-recurse yes|no Can only appear in global section (not zone specific), and only applies to Qname Policy Triggers yes – (default) wait for query response then apply Policy action no – apply changes when query received (suppresses query) Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND – Close Resolver Open Caching DNS (Resolver) can be used in DDoS Defaults to recursion yes; Closed Caching DNS (Resolver) Limit IPs allowed to access use allow-recursion {x.x.x.x;}; From BIND 9.4 if no limits defaults to allow-query- cache {localnets;localhost;}; Implicit is not good Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND - OPEN Resolvers Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. BIND Closed Resolver # Authoritative only # inhibit all recursion recursion no; # Any Resolver (caching) function recursion yes; // default! # use an appropriate local address scope statement # to limit recursion requests to local users allow-recursion {192.168.2.0/24;}; // change IPs as required # OR if the DNS server's IPs and netmasks cover the whole # local network you can use: allow-recursion {"localnets";}; # OR if a personal system - hard limits on reading listen-on {127.0.0.1;}; // or listen-on {localhost;}; listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;}; # OR allow-recursion {"localhost";}; Copyright Zytrax, Inc. All rights reserved.

Copyright Zytrax, Inc. All rights reserved. DNS RPZ Intro RPZ Exercise Lecturer: Ron Aitchison dns@zytrax.com Copyright Zytrax, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.