1 |
thegeezer <thegeezer <at> thegeezer.net> writes: |
2 |
|
3 |
> |
4 |
> generally using something like ISC BIND you can set filters and easily |
5 |
> create an external view and internal view, so that you can do split dns |
6 |
> based on network connection. if doing something like this test it and |
7 |
> then test it again to make sure there is no leak due to a typo. |
8 |
> |
9 |
> it would be easier if we knew what you were standing up the servers for. |
10 |
> if it is for example your own domain name, you want something simple |
11 |
> like a couple of A addresses and an MX record then you don't need to |
12 |
> deviate much. |
13 |
|
14 |
Well some things will be very simple (minimal). Then, There is a "portal" |
15 |
I'm researching where we run all sorts of applications very securely, |
16 |
for one person at a time. It's eventually (hopefully) going to be |
17 |
a full LMS Learning Management system, something comprehensive, maybe even |
18 |
www-apps/moodle and or SWAD. Eventually a full ecommerce system, just |
19 |
for one company, not as a service to others. |
20 |
|
21 |
But for now, just running various forms of secure, minimized DNS. Some |
22 |
machine controls (SCADA) will use the DNS as part of the SSL services. |
23 |
|
24 |
> |
25 |
> if you are looking for dynamic dns updates you want to make sure you |
26 |
> have auth by secured ip (encrypted traffic) and you want to guard your |
27 |
> keys to allow DDNS. |
28 |
> |
29 |
> DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you |
30 |
> can see some starter material at ISC BIND website [1] |
31 |
|
32 |
DNS sec will be down the road. I have time to build, test, research |
33 |
and adjust the strategy as this goes along. It's not fixing a desparate |
34 |
situation; more along the lines of building up various secure dns platforms |
35 |
along an increasing features set. |
36 |
|
37 |
|
38 |
> In terms of "hack my dns server" there are many things that can hamper |
39 |
> it - something at the bleeding edge like gentoo is ace for this kind of |
40 |
> thing (*cough* centos is prehistoric *cough*) and if you were to load up |
41 |
> metasploit with ISC specific filters you can try to see what is |
42 |
> vulnerable. you can filter by CVE on your favourite website [2] |
43 |
|
44 |
Yep: |
45 |
http://cyberarms.wordpress.com/2014/04/20/detecting-openssl-heartbleed-with-nmap-exploiting-with-metasploit/ |
46 |
|
47 |
I got that, hense the advise is being sought out, first. |
48 |
|
49 |
|
50 |
> If the server is public facing then you want to be wary of such goodies |
51 |
> as recursive lookups as these can contribute to DoS attacks. you might |
52 |
> also like to try flooding the server with DNS or spoofed ip and see what |
53 |
> it responds to. these are not necessarily dns server specific but UDP |
54 |
> server specific and you can start to get an idea of scalability. |
55 |
|
56 |
One of the things I like to do, is profile the traffic, particularly |
57 |
in "well behaved, machine control networks" with IP services first. |
58 |
The open them up and gather some statistics, to start to develop |
59 |
some heuristics for patterns and volumes of excpected and un expected |
60 |
traffic flows..... |
61 |
|
62 |
That will be for latter. |
63 |
|
64 |
|
65 |
> in terms of primary to secondary then you have to question the |
66 |
> underlying layers -- is this being xferred across the internet ? |
67 |
> internally over vpn ? are your secondary servers going to be full |
68 |
> secondaries or just caching forwarders ? how will you control zone |
69 |
> transfers ? consider filtering the type of queries, and the size |
70 |
> of queries |
71 |
> |
72 |
> also consider the consequences of a hack. use selinux or similar, make |
73 |
> sure dns running in its own username and/or namespace. primary target |
74 |
> though has to be to change dns zones, so to make www.example.com map to |
75 |
> www.clickads.com, so make sure that you have a remote server doing |
76 |
> lookups regularly and report anomalies. |
77 |
> |
78 |
> hope this gives you a few directions to explore! |
79 |
|
80 |
Yep, THANKS! |
81 |
James |
82 |
|
83 |
|
84 |
> |
85 |
> [1] http://www.isc.org/downloads/bind/dnssec/ |
86 |
> [2] |
87 |
> |
88 |
https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html |
89 |
> |
90 |
> |