1 |
Michael Orlitzky <mjo <at> gentoo.org> writes: |
2 |
|
3 |
> |
4 |
> On 06/16/2014 02:15 PM, James wrote: |
5 |
> > Hello, |
6 |
> > |
7 |
> > I'm reading up on how to secure DNS primary and secondary servers. |
8 |
> > I guess DNSSEC is pretty important. Any other areas I should read |
9 |
> > up on? It's been a few years since I admin'd a dns server.... |
10 |
> |
11 |
> The benefits of DNSSEC are debatable. We're moving the centralized trust |
12 |
> from one group of scumbags (the CAs) to another group of scumbags (the |
13 |
> registrars). So the benefits to authentication are not entirely clear-cut. |
14 |
> |
15 |
> But, DNSSEC will eventually allow us to do away with the SSL racket, and |
16 |
> that can only improve security through the widespread adoption of |
17 |
> encryption. So it's a good thing either way. |
18 |
|
19 |
I'm just reading at this point. Listening to follks too. I have formed |
20 |
no options (yet). |
21 |
|
22 |
Here is a nice, general listing: |
23 |
|
24 |
[1] |
25 |
http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/NISTSecuringDNS/NISTSecuringDNS.htm |
26 |
|
27 |
|
28 |
> There's a video of DJB at the 27c3 conference floating around where he |
29 |
> discusses some of this stuff. Some of his points shouldn't be taken |
30 |
> seriously, but it's entertaining nevertheless. |
31 |
|
32 |
I thought DJB was mostly deprecated. He's still preaching dns security, |
33 |
yet does not update his offernings? Interestingly strange. |
34 |
|
35 |
|
36 |
> > Also, look for gentoo centric DNS primary solutions, I see |
37 |
> > no mention of hardened, up-mounted or read only partitions, |
38 |
> > etc etc. I wondering if anyone has some general suggestions |
39 |
> > on how to keep a gentoo dns primary only machine secure. |
40 |
> > |
41 |
> |
42 |
> Sven Vermeulen maintains some general suggestions here: |
43 |
> |
44 |
> http://dev.gentoo.org/~swift/docs/security_benchmarks/ |
45 |
|
46 |
Sven is great. So just the generic hardened remedies, nothing |
47 |
special to DNS servers or services, from my quick parse of his |
48 |
documents on hardened? |
49 |
|
50 |
|
51 |
Sven's also into "selinux". I see no selinux policies |
52 |
or rules. Maybe I should drop him a line about selinux related to |
53 |
dns primary servers? Surely a selinux policy for a primary only |
54 |
selinux dns server would been keen? Not needed ? Overkill ? |
55 |
I was going to read up a bit, before asking him questions I should |
56 |
have discovered from robust research on the subject...... |
57 |
|
58 |
|
59 |
|
60 |
> > The iptables suggests seem trite and old. |
61 |
> Which suggestion? For a DNS server, you probably want something like, |
62 |
> |
63 |
> iptables -P INPUT DROP |
64 |
> iptables -A INPUT -p ALL -i lo -j ACCEPT |
65 |
> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ |
66 |
> -j ACCEPT |
67 |
> iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP |
68 |
> # Allow SSH, up to you |
69 |
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
70 |
> # And allow DNS traffic |
71 |
> iptables -A INPUT -p udp --dport 53 -j ACCEPT |
72 |
> iptables -A INPUT -p tcp --dport 53 -j ACCEPT |
73 |
|
74 |
|
75 |
Ah, you've added to this iptables listing: |
76 |
|
77 |
http://wiki.gentoo.org/wiki/BIND/Tutorial |
78 |
|
79 |
|
80 |
So, I am looking for a minimal listing of flags that is sufficient |
81 |
for a dns primary server, ssh and only necessary other services |
82 |
(make.conf). |
83 |
|
84 |
I'm thinking there should be tremendously reduced set of C libraries |
85 |
so as to remove potential issues found on other services, or a |
86 |
secure, blessed C library commonly used for ultra tight servers. |
87 |
|
88 |
I was also thinking of not mounting some partitions rw, but r only |
89 |
so a manual reboot would be need to modify settings critical to |
90 |
security on the primary server. Good idea? Other similar ideas? |
91 |
|
92 |
|
93 |
"eix dns" revels many servers, tools and complimentary softwares. |
94 |
also, /usr/portage/net-dns/ has some ebuilds not discovered by |
95 |
eix. Any recommended or useful for dns security issues? |
96 |
|
97 |
Any guidance of those? |
98 |
|
99 |
secure dns servers: sheerdns, maradns |
100 |
|
101 |
TOOLS to test the security of a dns server? |
102 |
fpdns, dnscap, validns, dnstop (with alarms or logging?) |
103 |
dnshijacker, dnscap, dnstracer, etc etc? |
104 |
|
105 |
New, relevant DNS RFC's ? |
106 |
|
107 |
|
108 |
It's more ideas on subjects I should read up on, or specifically |
109 |
targeted responses from those current on dns security issues, like |
110 |
ISP that practice dns-hijacking for their selfished desires and expose |
111 |
others in the process: |
112 |
|
113 |
[2] http://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs |
114 |
|
115 |
|
116 |
CERT. I did find this singular issue: |
117 |
Alert (TA13-088A) DNS Amplification Attacks |
118 |
|
119 |
[3] https://www.us-cert.gov/ncas/alerts/TA13-088A |
120 |
|
121 |
And this compreshensive listing of dns server issues: |
122 |
|
123 |
http://search.us-cert.gov/search?utf8=✓&affiliate=us-cert&query=all+dns+server+alerts&commit=Search |
124 |
|
125 |
As well as a current listing of dns server issues, which is |
126 |
currently empty? |
127 |
|
128 |
|
129 |
Anyone and Everyone is encouraged to "chime in" on dns server |
130 |
security issues, particularly related to the primary servers |
131 |
issues and protection strategies. |
132 |
|
133 |
|
134 |
James |