| 1 |
Michael Orlitzky <mjo <at> gentoo.org> writes: |
| 2 |
|
| 3 |
> |
| 4 |
> On 06/16/2014 02:15 PM, James wrote: |
| 5 |
> > Hello, |
| 6 |
> > |
| 7 |
> > I'm reading up on how to secure DNS primary and secondary servers. |
| 8 |
> > I guess DNSSEC is pretty important. Any other areas I should read |
| 9 |
> > up on? It's been a few years since I admin'd a dns server.... |
| 10 |
> |
| 11 |
> The benefits of DNSSEC are debatable. We're moving the centralized trust |
| 12 |
> from one group of scumbags (the CAs) to another group of scumbags (the |
| 13 |
> registrars). So the benefits to authentication are not entirely clear-cut. |
| 14 |
> |
| 15 |
> But, DNSSEC will eventually allow us to do away with the SSL racket, and |
| 16 |
> that can only improve security through the widespread adoption of |
| 17 |
> encryption. So it's a good thing either way. |
| 18 |
|
| 19 |
I'm just reading at this point. Listening to follks too. I have formed |
| 20 |
no options (yet). |
| 21 |
|
| 22 |
Here is a nice, general listing: |
| 23 |
|
| 24 |
[1] |
| 25 |
http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/NISTSecuringDNS/NISTSecuringDNS.htm |
| 26 |
|
| 27 |
|
| 28 |
> There's a video of DJB at the 27c3 conference floating around where he |
| 29 |
> discusses some of this stuff. Some of his points shouldn't be taken |
| 30 |
> seriously, but it's entertaining nevertheless. |
| 31 |
|
| 32 |
I thought DJB was mostly deprecated. He's still preaching dns security, |
| 33 |
yet does not update his offernings? Interestingly strange. |
| 34 |
|
| 35 |
|
| 36 |
> > Also, look for gentoo centric DNS primary solutions, I see |
| 37 |
> > no mention of hardened, up-mounted or read only partitions, |
| 38 |
> > etc etc. I wondering if anyone has some general suggestions |
| 39 |
> > on how to keep a gentoo dns primary only machine secure. |
| 40 |
> > |
| 41 |
> |
| 42 |
> Sven Vermeulen maintains some general suggestions here: |
| 43 |
> |
| 44 |
> http://dev.gentoo.org/~swift/docs/security_benchmarks/ |
| 45 |
|
| 46 |
Sven is great. So just the generic hardened remedies, nothing |
| 47 |
special to DNS servers or services, from my quick parse of his |
| 48 |
documents on hardened? |
| 49 |
|
| 50 |
|
| 51 |
Sven's also into "selinux". I see no selinux policies |
| 52 |
or rules. Maybe I should drop him a line about selinux related to |
| 53 |
dns primary servers? Surely a selinux policy for a primary only |
| 54 |
selinux dns server would been keen? Not needed ? Overkill ? |
| 55 |
I was going to read up a bit, before asking him questions I should |
| 56 |
have discovered from robust research on the subject...... |
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
> > The iptables suggests seem trite and old. |
| 61 |
> Which suggestion? For a DNS server, you probably want something like, |
| 62 |
> |
| 63 |
> iptables -P INPUT DROP |
| 64 |
> iptables -A INPUT -p ALL -i lo -j ACCEPT |
| 65 |
> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ |
| 66 |
> -j ACCEPT |
| 67 |
> iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP |
| 68 |
> # Allow SSH, up to you |
| 69 |
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
| 70 |
> # And allow DNS traffic |
| 71 |
> iptables -A INPUT -p udp --dport 53 -j ACCEPT |
| 72 |
> iptables -A INPUT -p tcp --dport 53 -j ACCEPT |
| 73 |
|
| 74 |
|
| 75 |
Ah, you've added to this iptables listing: |
| 76 |
|
| 77 |
http://wiki.gentoo.org/wiki/BIND/Tutorial |
| 78 |
|
| 79 |
|
| 80 |
So, I am looking for a minimal listing of flags that is sufficient |
| 81 |
for a dns primary server, ssh and only necessary other services |
| 82 |
(make.conf). |
| 83 |
|
| 84 |
I'm thinking there should be tremendously reduced set of C libraries |
| 85 |
so as to remove potential issues found on other services, or a |
| 86 |
secure, blessed C library commonly used for ultra tight servers. |
| 87 |
|
| 88 |
I was also thinking of not mounting some partitions rw, but r only |
| 89 |
so a manual reboot would be need to modify settings critical to |
| 90 |
security on the primary server. Good idea? Other similar ideas? |
| 91 |
|
| 92 |
|
| 93 |
"eix dns" revels many servers, tools and complimentary softwares. |
| 94 |
also, /usr/portage/net-dns/ has some ebuilds not discovered by |
| 95 |
eix. Any recommended or useful for dns security issues? |
| 96 |
|
| 97 |
Any guidance of those? |
| 98 |
|
| 99 |
secure dns servers: sheerdns, maradns |
| 100 |
|
| 101 |
TOOLS to test the security of a dns server? |
| 102 |
fpdns, dnscap, validns, dnstop (with alarms or logging?) |
| 103 |
dnshijacker, dnscap, dnstracer, etc etc? |
| 104 |
|
| 105 |
New, relevant DNS RFC's ? |
| 106 |
|
| 107 |
|
| 108 |
It's more ideas on subjects I should read up on, or specifically |
| 109 |
targeted responses from those current on dns security issues, like |
| 110 |
ISP that practice dns-hijacking for their selfished desires and expose |
| 111 |
others in the process: |
| 112 |
|
| 113 |
[2] http://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs |
| 114 |
|
| 115 |
|
| 116 |
CERT. I did find this singular issue: |
| 117 |
Alert (TA13-088A) DNS Amplification Attacks |
| 118 |
|
| 119 |
[3] https://www.us-cert.gov/ncas/alerts/TA13-088A |
| 120 |
|
| 121 |
And this compreshensive listing of dns server issues: |
| 122 |
|
| 123 |
http://search.us-cert.gov/search?utf8=✓&affiliate=us-cert&query=all+dns+server+alerts&commit=Search |
| 124 |
|
| 125 |
As well as a current listing of dns server issues, which is |
| 126 |
currently empty? |
| 127 |
|
| 128 |
|
| 129 |
Anyone and Everyone is encouraged to "chime in" on dns server |
| 130 |
security issues, particularly related to the primary servers |
| 131 |
issues and protection strategies. |
| 132 |
|
| 133 |
|
| 134 |
James |
Archives