RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

Slides:

Advertisements

Similar presentations

Authoritative-only server & TSIG cctld-workshop Nairobi,12-15 october 2005

Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

Zone transfer and dns-express

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

DNS & DHCP in the 21st Century William D. Kramp Network Administrator Finger Lakes Community College.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

Domain Name Services Oakton Community College CIS 238.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

DNS. Introduction What is DNS? –Hierarchy or Tree –Dot used as a separator.

Advanced Module 3 Stealth Configurations.

Name Resolution Domain Name System.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

1 Objectives Discuss the basics of the Domain Name System (DNS) and its terminology Configure DNS clients Install a standard DNS server on Server 2008.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.

Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf.

Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.

Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

BIND THE DNS SERVER TO USE !. DNS Domain Name Services Name to IP resolving /etc/hosts /etc/resolv.conf.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

Objectives Discuss the basics of the Domain Name System (DNS) and its terminology Configure DNS clients Install a standard DNS server on Server 2008 Create.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

Module 6: Managing and Monitoring Domain Name System (DNS)

11 MANAGING AND MONITORING DNS Chapter 4. Chapter 4: MANAGING AND MONITORING DNS2 DNS MANAGEMENT TOOLS  DNS console  Nslookup  DNSLint  Logging features.

1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,

Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

CIS 192B – Lesson 2 Domain Name System. CIS 192B – Lesson 2 Types of Services Infrastructure –DHCP, DNS, NIS, AD, TIME Intranet –SSH, NFS, SAMBA Internet.

DNS server & Client Objectives –to learn how to setup dns servers Contents –An Introduction to DNS –How To Download and Install The BIND Packages –How.

Linux Operations and Administration

Sample DNS configurations. Example 1: Master 'master' DNS and is authoritative for this zone for example.com provides 'caching' services for all other.

Linux Operations and Administration

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Web Server Administration Chapter 4 Name Resolution.

1 CMPT 471 Networking II DNS © Janice Regan,

Module 4 DNS Installation. DNS Software BIND (80+ %) Berkeley Internet Name Domain NSD (Name Server Daemon)

OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.

Role of Router. The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

AfNOG-2003 Domain Name System (DNS) Ayitey Bulley Setting up an Authoritative Name Server.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Security Issues with Domain Name Systems

BIND Part 2 pschiu.

DNS Session 5 Additional Topics

Chapter 19 Domain Name System (DNS)

Managing Name Resolution

A New Approach to DNS Security (DNSSEC)

Presentation transcript:

RNDC & TSIG

What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely

Configuring RNDC "rndc-confgen" generates lines to be added to two files –rndc.conf –named.conf

Generating the lines: > rndc-confgen key “rndc-key” { algorith hmac-md5; secret “rXxroiejf8937Bjf_+-532ktj/==“; }; Options { default-key “rndc-key”; default-server ; default-port 953; #End of rndc.conf # User with the followign in named.conf, adjusting the # allow list as needed # key “rndc-key” { # algorithm hmac-md5; #secret “rXxroiejf8937Bjf_+-532ktj/==“; #}; # controls { #inet port 953 #allow { ; } keys { “rndc-key” }; #};

Using an rndc.conf file /etc/rndc.conf specifies defaults for rndc E.g., key "rndc-key" { algorithm hmac-md5; secret "dY7/uIiR0fKGvi5z50+Q=="; }; options { default-key "rndc-key"; default-server ; default-port 953; };

Enabling RNDC in the server – named.conf key definition key rndc_key { secret "dY7/uIiR0fKGvi5z50+Q=="; algorithm hmac-md5; }; –Warning: example secret looks good but is invalid (don't copy it!) controls statement controls { inet port 953 // for remote host, use allow { ; } // actual IP keys { "rndc-key"; }; };

What can be done with RNDC > rndc stop - kills server > rndc status - prints some information > rndc stats - generates stat file (named.stats) > rndc reload - refresh zone(s), with variations > rndc trace - increases debug level > rndc flush - removes cached data other commands in the ARM

What is TSIG - Transaction Signature? A mechanism for protecting a message from a primary to secondary and vice versa A keyed-hash is applied (like a digital signature) so recipient can verify message –DNS question or answer –& the timestamp Based on a shared secret - both sender and receiver are configured with it

What is TSIG - Transaction Signature? TSIG (RFC 2845) –authorizing dynamic updates & zone transfers –authentication of caching forwarders Used in server configuration, not in zone file

Names and Secrets TSIG name –A name is given to the key, the name is what is transmitted in the message (so receiver knows what key the sender used) TSIG secret value –A value determined during key generation –Usually seen in Base64 encoding

Transaction Signature: TSIG TSIG (RFC 2845) –authorizing dynamic updates & zone transfers –authentication of caching forwarders –can be used without deploying other features of DNSSEC One-way hash function over: –DNS question or answer –& the timestamp Signed with “shared secret” key Used in server configuration, not in zone file

Names and Secrets 'Looks' like the rndc key –BIND uses same interface for TSIG and RNDC keys

Using TSIG to protect AXFR Deriving a secret > dnssec-keygen -a -b -n host e.g. > dnssec-keygen –a HMAC-MD5 –b 128 –n HOST ns1-ns2.pcx.net This will generate the key > Kns1-ns2.pcx.net >ls  Kns1-ns2.pcx.net key  Kns1-ns2.pcx.net private

Using TSIG to protect AXFR Configuring the key –in named.conf file, same syntax as for rndc –key { algorithm...; secret...;} Making use of the key –in named.conf file –server x { key...; } –where 'x' is an IP number of the other server

Configuration Example – named.conf Primary server key ns1-ns2.pcx. net{ algorithm hmac-md5; secret "APlaceToBe"; }; server { keys {ns1-ns2.pcx.net;}; }; zone "my.zone.test." { type master; file...; allow-transfer { key ns1-ns2..pcx.net ;}; }; Secondary server key ns1-ns2.pcx.net { algorithm hmac-md5; secret "APlaceToBe"; }; server { keys {ns1-ns2.pcx.net;}; }; zone "my.zone.test." { type slave; file...; masters { ;}; allow-transfer { key ns1-ns2.pcx.net;}; }; You can save this in a file and refer to it in the named.conf using ‘include’ statement: include “/var/named/master/tsig-key-ns1-ns2”;

TIME!!! TSIG is time sensitive - to stop replays –Message protection expires in 5 minutes –Make sure time is synchronized –For testing, set the time –In operations, (secure) NTP is needed

Other uses of TSIG TSIG was designed for other purposes as well –Protecting sensitive stub resolvers This has proven hard to accomplish –Dynamic Update Discussed later, securing this relies on TSIG

Questions ?