DNS & DHCP in the 21st Century

William D. KrampNetwork Administrator

Finger Lakes Community College

Where is FLCC located?

Resources DNS and BIND, 4th Edition, by Paul

Albitz & Cricket Liu Microsoft Win2000 DNS

Documentation: http://www.microsoft.com/TechNet/win2000/win2ksrv/reskit/tcpch06.asp

Copy of the PowerPoint presentation: http://paws.flcc.edu/~krampwd/presentations/DNS/index.htm

Presentation Topics BIND 9.1.x DNS Features BIND 9.1.x Diagnostic Tools DNS Security Practices DNS Security Extensions DNS and DHCP with Win2000

What is DNS? DNS stands for Domain Name

System. A distributed database that

matches domain names to IP numbers.

Developed in the mid-1980’s to replace the use of the hosts file.

BIND 9.1.x DNS Features Multiple Views Multiprocessor Support IP Version 6

A6 DNAME Bitstring Labels

Functional DNSSEC

BIND 9.1.x - Diagnostic Tools Named-checkconf – Will check the

configuration file (named.conf) for any syntax errors.

Named-checkzone – Will check a specified zone file for syntax errors.

Example: named-checkzone /path/db.flcc

DNS Security Practices Operating System Security Restricting Access Transaction Signatures (TSIG) List of BIND vulnerabilities:

http://www.isc.org/products/BIND/bind-security.html

A Popular Port to Probe On dShields web site

http://www.dshield.org, DNS was the single most probed port at 13%, with port 111 (rpc) second at 7% on June 13, 2001.

Dshield takes reports from various firewalls like Cisco and ipchains to IDSs like Snort and ZoneAlarm.

Dshield Probe Graph

Other monitoring sites http://www.mynetwatchman.com http://www.incidents.org (SANS) SANS runs the Consensus Intrusion

Database, that compiles information from dshield, mywatchman, and other data sources.

Operating System Security Chroot DNS Server - Trap the name

server in a subdirectory of the file system.

Least Privilege – Normally runs as root. Change owner and group to a user with lower privileges after binding to port 53.

DNS Security Practices Hiding the BIND version. Restricting:

Query Requests Recursion Zone Transfers Notify

Sending DNS requests to the Blackhole

Security by Obscurity Stop BIND from providing a version

number. Makes it easier for Black Hats to find vulnerable servers.

Command “dig @IP# txt chaos version.bind”

In options section: version “FLCC BIND”

Restricting Query Access Allow-query – Restrict access to

who can look up information in local zones. This could be used to allow only local users to look at an internal DNS (view).

Example: allow-query { 172.19/16; };

Restricting Recursion Allow-recursion – Restrict who can

use the DNS server for recursive lookups. Leaving this open could allow a remote user to use your DNS resources.

Example: allow-recursion { 192.156.234/24; 199.29.9/24; };

Restricting Zone Transfer Allow-transfer – Restricts which

secondary DNS servers can perform zone transfers. Don’t want to give the Black Hats a road map of your site.

Example: allow-transfer { 172.20.1.2; 172.20.1.3; };

or allow-transfer { none; };

Restricting Notify Allow-notify – Primary server can

send a message to the secondary to initiate a zone transfer. A third party could launch a DoS attack by causing the secondary to repeatedly query the Primary server.

Example: allow-notify { 172.20.1.1; };

Restricting Dynamic Update Allow-update – This allows the DNS

zones to be updated with new Resource Records (RR). Win2000 depends on this feature to operate. But could be used by clients to for unauthorized additions and deletions from the zone.

Example: allow-update { none; };

Blackhole The blackhole command allows

you to ignore any DNS requests or commands from a single IP, or a list of IP ranges. Could also block RFC1918 reserved addresses, multicast, etc.

Example: blackhole { 172.21.0.0/16; };

Transaction Signatures (TSIG) TSIG uses a one-way hash function with

a shared key for authenticating: DNS responses and updates.

Only useful between a small number of servers.

A compromised server would expose the shared key of all the servers.

Used when IP based security is not enough.

DNS Security Extensions DNSSEC

RFC2535 Updates: RFC3008, RFC3090,

RFC3110 Available in BIND 8.2, but not fully

functional. Public Key Cryptography – Key pairs:

one public, one private.

DNSSEC Information DNS Records

KEY SIG NXT

Chain of Trust

DNS KEY Record KEY record used to publish Public

key. The KEY record can also be used

for other purposes like E-mail encryption.

Various encryption algorithms: RSA/MD5, Diffie-Hellman, DSA.

DNS SIG Record SIG (Signature) record holds the

digital signature of a RRset using the private keys.

RRset A Resource Record set is collection of

resource records with the same name, type and class.

Used with Dynamic DNS

DNS NXT Record The NXT record is sent in response

to a failed query. Provides a list of record types that

are available for the query, plus the next domain name in the list.

The list is composed of the all the domain names in the zone, sorted by dictionary order, case-insensitively.

Chain of Trust Each RRset in a secure zone has a

SIG record. Public KEY record used to verify

SIG record. Public KEY record certified by a

higher authority (.edu zone) KEY record of .edu zone certified

by root servers.

DNS and DHCP with Win2000 DNS and DHCP are the backbone

to the operation of Windows 2000. LDAP and Kerberos also play a big part to form Active Directory (AD).

Wave goodbye to WINS and browsing!!!

Windows Dynamic DNS RFC compliant DNS service. Windows relies on dynamic DNS to

operate. Win2000 Clients and Servers register with the DNS server to provide a name and corresponding IP number. They also register service (SRV) record information as needed.

SRV Records SRV records are used for locating

services. Example: _ldap._tcp.library.flcc.edu The first label specifies the ldap

service. The second label specifies the

protocol. The domain name is then listed.

SRV Records, Part 2 Static IP#s don’t have to be

assigned to the servers since they will be dynamically registered in the zone.

Problem, some network devices can only use static IP numbers for connecting to the servers.

Sample of Library DNS Zone _ldap._tcp 600 SRV 0 100 389 dale.library. 600 SRV 0 100 389 chip.library. _kerberos._udp 600 SRV 0 100 88

dale.library. 600 SRV 0 100 88 chip.library. chip 900 A 172.21.4.7 dale 900 A 172.21.4.9 library1 900 A 172.21.4.10 library10 900 A 172.21.4.14

Windows DHCP Security Windows has supports several

features for security of DNS and DHCP.

Windows 2000 DHCP servers can not hand out IP’s without first being registered with the local AD server.

Can also detect and log the IP of rogue DHCP servers.

Windows Dynamic Update During the DHCP process, the

Win2000 client will send the DHCP server a DHCPREQUEST packet with FQDN option.

The FQDN option has several flags that indicate if the client will register with the DNS server, or if the DHCP server should do it.

Registering with DDNS If the Windows 2000 client

performs the registration with the Dynamic DNS server. It will check to see if there is an address record registered for the domain name or an alias.

If no to both, it will send a dynamic update to the DDNS server.

Non-Win2000 Client Updates Clients that are not running

Windows 2000 like: Win98/98, NT, Linux, Mac’s; will not send the FQDN option.

If the DHCP server is configured to perform the dynamic update, it will automatically do so for the client.

Statically Configured Win2000 Windows 2000 clients that are

statically configured with an IP address will still dynamically update the DNS server.

Every 24 hours, or after a reboot. The Win2000 clients (and servers) will attempt to register their A, PTR, and other Resource Records.

Secure Dynamic Update Normal dynamic DNS updates are

open for abuse. Microsoft offers a secure update

service which uses a GSS algorithm for TSIG (an IETF Internet-Draft).

Uses Kerberos for authentication. Won’t work with non-Win200 clients.

Stale DNS Records Over time, dynamic DNS entries

will be left behind in the zones. Clients and DHCP servers are

suppose to remove their Resource Records automatically.

But if clients are not shut down properly, or if the network is disrupted…

Scavenging DNS Records Windows 2000 DNS servers can be

set to scavenge stale DNS records. But it is not the default setting.

Must be sure you understand all the ramifications before enabling it.

Scavenging can be enabled by: server, zone, or record.