Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS & Mail in the DMZ Jason Heiss Collective Technologies

Published byJacob Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "DNS & Mail in the DMZ Jason Heiss Collective Technologies"— Presentation transcript:

1 DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com

2 Firewall Architectures

3 Screening Router Architecture

4 Screened Subnet Architecture

5 DNS (Domain Name Service)

6 Goals Separate internal and external DNS servers –Limit the information about your network that is publicly available –Protect the internal DNS server from attack Run as separate user –Successful attack on DNS server does not give root Run in chroot environment –Successful attack doesn’t expose entire server

7 Internal BIND Configuration named.conf options { forward only; forwarders { 1.2.3.4; 1.2.3.5;}; } zone “foo.net” { type master; file “foo.net”; } No root hints file Zone files contain full info

8 DMZ BIND Configuration named.conf acl slaves { 10.1.2.3; 192.168.1.1; }; options { version “”; directory “/”; # Really /var/named named-xfer “/bin/named.xfer”; allow-transfer { slaves; }; } zone “.” { type hint; file “root.hints”; }; zone “foo.net” {type master; file “foo.net”; }; Zone files contain only external hosts

9 Running BIND as Non-root User Very simple starting with BIND 8 –“named –u bind –g bind” The only things the bind user should be able to write to are files for slave zones –By default, these are dumped into the main directory (from named.conf) with somewhat random names –This directory, therefore, would need to be writeable by bind –Best to specify specific filenames for each slave zone in named.conf and make only those files writeable by bind

10 Running BIND in chroot Looks simple –“ named –t /var/named ” syslog –Can’t get at /var/run/log (or /dev/log or whatever) –“ syslog –l /var/named/var/run/log” –holelogd from Obtuse System’s utils packageObtuse System’s ndc –named makes a UNIX socket for ndc to talk to –mkdir /var/named/var/run –ln –s /var/named/var/run/ndc /var/run/ndc

11 Running BIND in chroot, cont. Slaves –Zone transfers to slaves use named-xfer –Must reside in chroot directory –Probably will require some dynamic libraries (or compile a static version of named-xfer) /usr/libexec/ld-elf.so.1 /usr/lib/libutil.so.3 /usr/lib/libc.so.4

12 ndc ndc, for the most part, works fine (reload, stop, etc.) with all of this special configuration –Need symlink from the real /var/run/ndc to the chroot /var/run/ndc if chroot’d ‘ndc start’ fires up named with no arguments –‘ndc start –u bind –g bind –t /var/named’

13 Complications Subdomains –client.foo.net queries intradns.foo.net for host.sub.foo.net –Intradns ignores delegation and forwards query to bastion host –Bastion host is authoritative for (limited) foo.net, doesn’t know about sub.foo.net, and thus returns NXDOMAIN

14 Complications, cont. Subdomains, cont. –If you are big enough to need subdomains, you can probably afford a couple extra PCs to separate external DNS from forwarders –See DNS & Bind (DNS and Internet Firewalls section) for extensive discussion of problems and solutions

15 Complications, cont. Double-reverse DNS lookups –Performed by many FTP sites –Server looks up hostname associated with connecting IP –Server then looks up IP associated with that hostname –This IP must match original –Requires unique A and PTR records for all public IPs –Good case for proxies or NAT/PAT (masquerading)

16 Mail

17 Goals Separate internal and external mail servers –Protects internal mail server(s) from attack –Provides choke point to apply filters Masquerading Virus scanning Run as separate user Run in chroot environment –Sendmail does not have a built-in chroot feature –Would be a good idea if your MTA supports it

18 Internal Sendmail Configuration FEATURE(`local_procmail')dnl FEATURE(`mailertable')dnl MAILER(`local')dnl MAILER(`smtp')dnl define(`SMART_HOST', `bastion.foo.net')dnl

19 Internal Sendmail Config, cont. /etc/mail/mailertable foo.net local:.foo.net local: /etc/mail/relay-domains foo.net

20 DMZ Sendmail Configuration MASQUERADE_AS(`foo.net')dnl FEATURE(`mailertable')dnl FEATURE(`access_db’)dnl MAILER(`smtp')dnl define(`confRUN_AS_USER', `mail:mail')dnl define(`confSMTP_LOGIN_MSG', `')dnl define(`confPRIVACY_FLAGS', `goaway')dnl

21 DMZ Sendmail Config, cont. /etc/mail/mailertable foo.net smtp:mailhub.foo.net.foo.net smtp:mailhub.foo.net /etc/mail/access Connect:mailhub.foo.net RELAY To:foo.net RELAY

22 Running Sendmail as Non-root User Queue should be owned by mail user so that Sendmail can queue mail temporarily Otherwise user should have no privileges

23 References BIND –Grasshopper (Cricket) book (O’Reilly) –Building Internet Firewalls (O’Reilly) –Linux HOWTO Sendmail –www.sendmail.org (Configuration Information)www.sendmail.org –www.sendmail.net (Good release notes)www.sendmail.net –ofb.net/~jheiss/sendmail_proxy.htmlofb.net/~jheiss/sendmail_proxy.html –Bat book (O’Reilly)

Download ppt "DNS & Mail in the DMZ Jason Heiss Collective Technologies"

Similar presentations

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.

School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.

DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.
DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.

DNS Domain Name System –name servers –Translates FDQN to IP address List of fully qualified domain names (FDQN) and their IP addresses, FDQN has three.
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.

DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.

DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Recursive Server. Overview Recursive Service Root server list localhost 0.0.127.in-addr.arpa named.conf.

Recursive Server. Overview Recursive Service Root server list localhost in-addr.arpa named.conf.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
DOMAIN NAMING SYSTEM (AN OVERVIEW) By -DEEPAK. Topics --DNS What is DNS? Purpose of DNS DNS configuration files.

DOMAIN NAMING SYSTEM (AN OVERVIEW) By -DEEPAK. Topics --DNS What is DNS? Purpose of DNS DNS configuration files.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Similar presentations

Ads by Google