1 |
On 06/16/2014 08:57 PM, James wrote: |
2 |
> Michael Orlitzky <mjo <at> gentoo.org> writes: |
3 |
> |
4 |
>> On 06/16/2014 02:15 PM, James wrote: |
5 |
>>> Hello, |
6 |
>>> |
7 |
>>> I'm reading up on how to secure DNS primary and secondary servers. |
8 |
>>> I guess DNSSEC is pretty important. Any other areas I should read |
9 |
>>> up on? It's been a few years since I admin'd a dns server.... |
10 |
>> The benefits of DNSSEC are debatable. We're moving the centralized trust |
11 |
>> from one group of scumbags (the CAs) to another group of scumbags (the |
12 |
>> registrars). So the benefits to authentication are not entirely clear-cut. |
13 |
except for the preventions of dns injection/ spoof floods |
14 |
>> But, DNSSEC will eventually allow us to do away with the SSL racket, and |
15 |
>> that can only improve security through the widespread adoption of |
16 |
>> encryption. So it's a good thing either way. |
17 |
> Sven's also into "selinux". I see no selinux policies or rules. Maybe |
18 |
> I should drop him a line about selinux related to dns primary servers? |
19 |
> Surely a selinux policy for a primary only selinux dns server would |
20 |
> been keen? Not needed ? Overkill ? |
21 |
how paranoid are you? |
22 |
are you using SSL and fear the heartbleed will appear here too? |
23 |
> I was going to read up a bit, before asking him questions I should |
24 |
> have discovered from robust research on the subject...... |
25 |
> |
26 |
> |
27 |
> |
28 |
>>> The iptables suggests seem trite and old. |
29 |
>> Which suggestion? For a DNS server, you probably want something like, |
30 |
>> |
31 |
>> iptables -P INPUT DROP |
32 |
>> iptables -A INPUT -p ALL -i lo -j ACCEPT |
33 |
>> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ |
34 |
>> -j ACCEPT |
35 |
>> iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP |
36 |
>> # Allow SSH, up to you |
37 |
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
38 |
>> # And allow DNS traffic |
39 |
>> iptables -A INPUT -p udp --dport 53 -j ACCEPT |
40 |
>> iptables -A INPUT -p tcp --dport 53 -j ACCEPT |
41 |
how secure do you need this to be? how about |
42 |
iptables -A OUTPUT -m state RELATED,ESTABLISHED -j ACCEPT |
43 |
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT |
44 |
iptables -A OUTPUT DROP |
45 |
in case your machine gets hacked ? |
46 |
do you control all the clients connecting to the DNS ? then disable UDP |
47 |
dns which is what the entire world uses, and then you can much more |
48 |
easily control spoof flood amplification |
49 |
> |
50 |
> Ah, you've added to this iptables listing: |
51 |
> |
52 |
> http://wiki.gentoo.org/wiki/BIND/Tutorial |
53 |
> |
54 |
> |
55 |
> So, I am looking for a minimal listing of flags that is sufficient |
56 |
> for a dns primary server, ssh and only necessary other services |
57 |
> (make.conf). |
58 |
it all depends on where the balance lays for you. do you have a text |
59 |
only requirement for dns and no ssl ? |
60 |
do you require ldap support or ip6 ? |
61 |
a minimal set for ISC BIND i think is nothing -- you can boot minimal |
62 |
gentoo and websync and emerge net-dns/bind |
63 |
a minimal gentoo running bind can easily fit with into a couple of GB |
64 |
(or nothing with PXE boot) and 256MB RAM so you can have a hundred boxes |
65 |
working in tandem. |
66 |
assuming of course you have very small zones to load |
67 |
> |
68 |
> I'm thinking there should be tremendously reduced set of C libraries |
69 |
> so as to remove potential issues found on other services, or a |
70 |
> secure, blessed C library commonly used for ultra tight servers. |
71 |
you might also like to consider looking at embedded setups or |
72 |
alternative to glibc such as uclibc but this is a little offtopic. |
73 |
> I was also thinking of not mounting some partitions rw, but r only |
74 |
> so a manual reboot would be need to modify settings critical to |
75 |
> security on the primary server. Good idea? Other similar ideas? |
76 |
> |
77 |
A wise idea, but then you are trading off manageability for security. |
78 |
ah security, the eternal balance, and only you can know where the |
79 |
tipping point lies. |