BIND and DNS Security
一、 TSIG(Transaction Signature 事务签名)配置
环境:主服务器:server1.example.com :192.168.32.31
辅助服务器:station2.example.com :192.168.32.32
客户端:station6.example.com :192.168.32.36
客户端:station7.example.com :192.168.32.37
example.com :192.168.32.0/24
原理:TSIG是以MD5加密算法的方式,认证DNS服务器间的数据传输。首先必须主服务器生成加密证书,之后将此证书传递给辅助服务器,经过配置后由辅助服务器以加密的方式送往主服务器的传输请求。TSIG是为了确保辅助服务器从主服务器复制得到的数据不是由假的服务器提供或者被篡改截取。
1、 主服务器配置
1.1 为TSIG创建密钥(tsig只支持对称算法)
[root@server1 ~]# cd /var/named/chroot/etc
[root@server1 etc]#dnssec-keygen -a HMAC-MD5 -b 128 -n HOST server1-station2
Kserver1-station2.+157+56068
#-a:指定加密算法为HMAC-MD5
#-b:指定密钥长度为128位
#-n HOST server1-station2:指定主机引用的key名,后面服务器的key都要引用此名sever1-station2
1.2 通过密钥对查看密钥字符串
[root@server1 etc]# cat Kserver1-station2.+157+64072.key
server1-station2. IN KEY 512 3 157 znbBQJb/E4sFYxZI0CHOnA==
[root@server1 etc]# cat Kserver1-station2.+157+64072.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: znbBQJb/E4sFYxZI0CHOnA== #密钥字符串
1.3 生成加密文件,并发送给辅助服务器
[root@server1 etc]#cat rndc.key >transfer2example.key
#rndc.key、transfer2example.key用来做加密的加密文件,名称随意定
[root@server1 etc]# vi transfer2example.key
key "server1-station2" { #密钥名为:server1-staiton2
algorithm hmac-md5;
secret "znbBQJb/E4sFYxZI0CHOnA=="; #密钥字符串
};
[root@server1 etc]#scp transfer2example.key 192.168.32.32:/var/named/chroot/etc/ transfer2example.key #将加密文件发送给辅助服务器
1.4 修改named.conf文件(如下仅部分内容)
[root@server1 etc]#vi named.conf
include "/etc/transfer2example.key";
#引用密钥文件,再此表全局配置,可放在区域文件中,chroot中相对目录
实际目录为:/var/named/chroot/etc/
options {
version "Windows 2008 DNS";
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
allow-transfer { key server1-station2; };
#指定拥有server1-staiton2密钥的辅助服务器可以传输文件,可放在区域文件中
};
2 辅助服务器配置
2.1 配置named.conf文件(如下仅部分内容)
[root@station2 etc]# vi named.conf
include "/etc/transfer2example.key";
#指定加密文件,系主服务器发送过来,可放在区域中
server 192.168.32.31 {
keys { server1-station2; };
};
#指定主服务器,并指定传输所有密钥名,可放在区域中
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
allow-transfer { none; };
};
2.2 修改named.rfc1912.zones文件(如下紧部分内容)
[root@station2 etc]# cat named.rfc1912.zones
zone "example.com" IN {
type slave; #服务器类型为辅助
file "slaves/example.com.zone"; #指定区域文件
masters { 192.168.32.31; }; #指定主服务器
allow-update { any; };
};
zone "32.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.32";
masters { 192.168.32.31; };
allow-update { any; };
};
二、 限制递归查询
递归查询:客户端先向服务器查询,如果服务器没有查询记录,服务器会帮助客户去查询,然后将结果给客户。
迭代查询(反复查询):客户端先向服务器查询,服务器只告诉客户有无查询记录,无记录,客户则会直接查询根服务器,从根开始从上到下反复查询。
1、 服务器(192.168.32.31)配置,同上不变
2、 转发服务器(192.168.32.32)配置
[root@station2 ~]# cd /var/named/chroot/etc
[root@station2 etc]# vi named.conf
include "/etc/transfer2example.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
allow-transfer { none; };
forwarders { 192.168.32.31; }; #指定转发给主服务器地址
forward only; #本服务器只做转发
allow-recursion { 192.168.32.0/24; };
#允许对192.168.32.0/24网段的客户端递归查询
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
server 192.168.32.31 {
keys { server1-station2; };
};
view any_resolver {
match-clients { 192.168.32.37; };
match-destinations { any; };
recursion no ; #不对192.168.32.37客户端做递归查询
};
[root@station2 etc]# rndc flush #清空缓存
3、 客户端测试
[root@station6 sysconfig]# nslookup server1.example.com.
Server: 192.168.32.32
Address: 192.168.32.32#53
Name: server1.example.com
Address: 192.168.32.31
#由于允许对192.168.32.0/24中所有客户端都做递归查询,则station6可以查询到记录
[root@station7 ~]# nslookup server1.example.com
Server: 192.168.32.32
Address: 192.168.32.32#53
Non-authoritative answer:
*** Can't find server1.example.com: No answer
#视图中定义不允许对192.168.32.0/24网段中的32.37主机做递归查询,则转发服务器的缓存中如有数据记录则发生给station7,否则station7无法查询到记录
三、 Bogus Servers and Blackholes(伪装服务器和黑洞)
1、 Bogus配置(192.168.32.32)
[root@station2 ~]# cd /var/named/chroot/etc
[root@station2 etc]# vi named.conf
server 192.168.32.31 { bogus yes; }; #定义192.168.32.31是一个伪装服务器,则客户端将无法通过此服务器递归查询192.168.32.31,但192.168.32.31可查询此服务器
include "/etc/transfer2example.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
allow-transfer { none; };
forwarders { 192.168.32.31; };
forward only;
};
2、 Blackhole配置
[root@station2 etc]# vi named.conf
include "/etc/transfer2example.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
blackhole { 192.168.32.31; };
#定义192.168.32.31为黑洞,则192.168.32.31与本机间无法互相查询对方
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
allow-transfer { none; };
forwarders { 192.168.32.31; };
forward only;
};
四、 限制查询bind服务器的版本号和软件作者
version.bind (bind8.2 and later)
authors.bind (bind9.1.0 and later)
1、 服务器(server1)配置
[root@server1 etc]# vi named.conf
include "/etc/transfer2example.key";
options {
version "Windows 2008 DNS"; #将bind的版本号显示改成为windows 2008 dns
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
。。。。。。
};
2、 客户端(station6)查询
[root@station6 sysconfig]# dig -c chaos -t txt version.bind
或
[root@station6 sysconfig]# dig version.bind chaos txt @example.com
#可改成host -c chaos -t txt version.bind查询
#dig author.bind chaos txt @example.com 查询作者
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> -c chaos -t txt version.bind
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4019
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "Windows 2008 DNS"
#该行显示bind服务器版本号为Windows 2008 DNS
;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.
;; Query time: 2 msec
;; SERVER: 192.168.32.31#53(192.168.32.31)
;; WHEN: Thu Mar 17 00:02:08 2011
;; MSG SIZE rcvd: 73
五、 日志定义(named的日志一共有15个类)
1、 服务器配置
[root@server1 etc]# vi named.conf
logging {
channel default_query {
#channel频道告诉日志记录到哪,预定义4个channel
#channel "default_syslog" { syslog daemon; severity info; };
#channel "default_debug" { file "named.run"; severity dynamic; };
#channel "default_stderr" { stderr; severity info; };
#channel "null" { null; };
file "data/named.query";
severity info; };
category queries { default_query; };
#cateogry日志的分类,告诉我们日志如何记录,日志记录什么信息,共15个分类;
# default, general, client, config, dispatch, dnssec, lame-servers, network, notify,
queries, resolver, security, update, xfer-in, xfer-out
};
2、 客户端测试
[root@station6 sysconfig]# nslookup server1.example.com
Server: 192.168.32.31
Address: 192.168.32.31#53
Name: server1.example.com
Address: 192.168.32.31
[root@server1 etc]# tail -f ../var/named/data/named.query
#在station6查询时显示的日志信息
client 192.168.32.36#52918: view localhost_resolver: query: example.com.example.com IN A +
client 192.168.32.36#52918: view localhost_resolver: query: example.com.example.com IN AAAA +
client 192.168.32.36#40198: view localhost_resolver: query: example.com IN A +
client 192.168.32.36#40198: view localhost_resolver: query: example.com IN AAAA +
client 192.168.32.36#42788: view localhost_resolver: query: example.com.example.com IN A +
client 192.168.32.36#42788: view localhost_resolver: query: example.com.example.com IN AAAA +
client 192.168.32.36#59971: view localhost_resolver: query: server1.example.com IN A +