| 1 |
On 06/16/2014 08:57 PM, James wrote: |
| 2 |
> Michael Orlitzky <mjo <at> gentoo.org> writes: |
| 3 |
> |
| 4 |
>> On 06/16/2014 02:15 PM, James wrote: |
| 5 |
>>> Hello, |
| 6 |
>>> |
| 7 |
>>> I'm reading up on how to secure DNS primary and secondary servers. |
| 8 |
>>> I guess DNSSEC is pretty important. Any other areas I should read |
| 9 |
>>> up on? It's been a few years since I admin'd a dns server.... |
| 10 |
>> The benefits of DNSSEC are debatable. We're moving the centralized trust |
| 11 |
>> from one group of scumbags (the CAs) to another group of scumbags (the |
| 12 |
>> registrars). So the benefits to authentication are not entirely clear-cut. |
| 13 |
except for the preventions of dns injection/ spoof floods |
| 14 |
>> But, DNSSEC will eventually allow us to do away with the SSL racket, and |
| 15 |
>> that can only improve security through the widespread adoption of |
| 16 |
>> encryption. So it's a good thing either way. |
| 17 |
> Sven's also into "selinux". I see no selinux policies or rules. Maybe |
| 18 |
> I should drop him a line about selinux related to dns primary servers? |
| 19 |
> Surely a selinux policy for a primary only selinux dns server would |
| 20 |
> been keen? Not needed ? Overkill ? |
| 21 |
how paranoid are you? |
| 22 |
are you using SSL and fear the heartbleed will appear here too? |
| 23 |
> I was going to read up a bit, before asking him questions I should |
| 24 |
> have discovered from robust research on the subject...... |
| 25 |
> |
| 26 |
> |
| 27 |
> |
| 28 |
>>> The iptables suggests seem trite and old. |
| 29 |
>> Which suggestion? For a DNS server, you probably want something like, |
| 30 |
>> |
| 31 |
>> iptables -P INPUT DROP |
| 32 |
>> iptables -A INPUT -p ALL -i lo -j ACCEPT |
| 33 |
>> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ |
| 34 |
>> -j ACCEPT |
| 35 |
>> iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP |
| 36 |
>> # Allow SSH, up to you |
| 37 |
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
| 38 |
>> # And allow DNS traffic |
| 39 |
>> iptables -A INPUT -p udp --dport 53 -j ACCEPT |
| 40 |
>> iptables -A INPUT -p tcp --dport 53 -j ACCEPT |
| 41 |
how secure do you need this to be? how about |
| 42 |
iptables -A OUTPUT -m state RELATED,ESTABLISHED -j ACCEPT |
| 43 |
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT |
| 44 |
iptables -A OUTPUT DROP |
| 45 |
in case your machine gets hacked ? |
| 46 |
do you control all the clients connecting to the DNS ? then disable UDP |
| 47 |
dns which is what the entire world uses, and then you can much more |
| 48 |
easily control spoof flood amplification |
| 49 |
> |
| 50 |
> Ah, you've added to this iptables listing: |
| 51 |
> |
| 52 |
> http://wiki.gentoo.org/wiki/BIND/Tutorial |
| 53 |
> |
| 54 |
> |
| 55 |
> So, I am looking for a minimal listing of flags that is sufficient |
| 56 |
> for a dns primary server, ssh and only necessary other services |
| 57 |
> (make.conf). |
| 58 |
it all depends on where the balance lays for you. do you have a text |
| 59 |
only requirement for dns and no ssl ? |
| 60 |
do you require ldap support or ip6 ? |
| 61 |
a minimal set for ISC BIND i think is nothing -- you can boot minimal |
| 62 |
gentoo and websync and emerge net-dns/bind |
| 63 |
a minimal gentoo running bind can easily fit with into a couple of GB |
| 64 |
(or nothing with PXE boot) and 256MB RAM so you can have a hundred boxes |
| 65 |
working in tandem. |
| 66 |
assuming of course you have very small zones to load |
| 67 |
> |
| 68 |
> I'm thinking there should be tremendously reduced set of C libraries |
| 69 |
> so as to remove potential issues found on other services, or a |
| 70 |
> secure, blessed C library commonly used for ultra tight servers. |
| 71 |
you might also like to consider looking at embedded setups or |
| 72 |
alternative to glibc such as uclibc but this is a little offtopic. |
| 73 |
> I was also thinking of not mounting some partitions rw, but r only |
| 74 |
> so a manual reboot would be need to modify settings critical to |
| 75 |
> security on the primary server. Good idea? Other similar ideas? |
| 76 |
> |
| 77 |
A wise idea, but then you are trading off manageability for security. |
| 78 |
ah security, the eternal balance, and only you can know where the |
| 79 |
tipping point lies. |
Archives