dns & mail in the dmz jason heiss collective technologies [email protected]@ofb.net...
TRANSCRIPT
![Page 1: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/1.jpg)
DNS & Mail in the DMZ
Jason HeissCollective Technologies
![Page 2: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/2.jpg)
Firewall Architectures
![Page 3: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/3.jpg)
Screening Router Architecture
![Page 4: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/4.jpg)
Screened Subnet Architecture
![Page 5: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/5.jpg)
DNS(Domain Name Service)
![Page 6: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/6.jpg)
Goals
• Separate internal and external DNS servers– Limit the information about your network that is
publicly available
– Protect the internal DNS server from attack
• Run as separate user– Successful attack on DNS server does not give root
• Run in chroot environment– Successful attack doesn’t expose entire server
![Page 7: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/7.jpg)
Internal BIND Configuration
• named.confoptions {
forward only;forwarders { 1.2.3.4; 1.2.3.5;};
}zone “foo.net” {
type master;file “foo.net”;
}
• No root hints file• Zone files contain full info
![Page 8: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/8.jpg)
DMZ BIND Configuration
• named.confacl slaves { 10.1.2.3; 192.168.1.1; };options {
version “”;directory “/”; # Really /var/namednamed-xfer “/bin/named.xfer”;allow-transfer { slaves; };
}zone “.” { type hint; file “root.hints”; };zone “foo.net” {type master; file “foo.net”; };
• Zone files contain only external hosts
![Page 9: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/9.jpg)
Running BIND as Non-root User
• Very simple starting with BIND 8– “named –u bind –g bind”
• The only things the bind user should be able to write to are files for slave zones– By default, these are dumped into the main directory
(from named.conf) with somewhat random names– This directory, therefore, would need to be writeable by
bind– Best to specify specific filenames for each slave zone in
named.conf and make only those files writeable by bind
![Page 10: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/10.jpg)
Running BIND in chroot
• Looks simple– “named –t /var/named”
• syslog– Can’t get at /var/run/log (or /dev/log or whatever)– “syslog –l /var/named/var/run/log”– holelogd from Obtuse System’s utils package
• ndc– named makes a UNIX socket for ndc to talk to– mkdir /var/named/var/run– ln –s /var/named/var/run/ndc /var/run/ndc
![Page 11: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/11.jpg)
Running BIND in chroot, cont.
• Slaves– Zone transfers to slaves use named-xfer– Must reside in chroot directory– Probably will require some dynamic libraries
(or compile a static version of named-xfer)• /usr/libexec/ld-elf.so.1
• /usr/lib/libutil.so.3
• /usr/lib/libc.so.4
![Page 12: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/12.jpg)
ndc
• ndc, for the most part, works fine (reload, stop, etc.) with all of this special configuration– Need symlink from the real /var/run/ndc to the
chroot /var/run/ndc if chroot’d
• ‘ndc start’ fires up named with no arguments– ‘ndc start –u bind –g bind –t /var/named’
![Page 13: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/13.jpg)
Complications
• Subdomains– client.foo.net queries intradns.foo.net for
host.sub.foo.net– Intradns ignores delegation and forwards query
to bastion host– Bastion host is authoritative for (limited)
foo.net, doesn’t know about sub.foo.net, and thus returns NXDOMAIN
![Page 14: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/14.jpg)
Complications, cont.
• Subdomains, cont.– If you are big enough to need subdomains, you
can probably afford a couple extra PCs to separate external DNS from forwarders
– See DNS & Bind (DNS and Internet Firewalls section) for extensive discussion of problems and solutions
![Page 15: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/15.jpg)
Complications, cont.
• Double-reverse DNS lookups– Performed by many FTP sites
– Server looks up hostname associated with connecting IP
– Server then looks up IP associated with that hostname
– This IP must match original
– Requires unique A and PTR records for all public IPs
– Good case for proxies or NAT/PAT (masquerading)
![Page 16: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/16.jpg)
![Page 17: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/17.jpg)
Goals
• Separate internal and external mail servers– Protects internal mail server(s) from attack
– Provides choke point to apply filters• Masquerading
• Virus scanning
• Run as separate user• Run in chroot environment
– Sendmail does not have a built-in chroot feature
– Would be a good idea if your MTA supports it
![Page 18: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/18.jpg)
Internal Sendmail Configuration
FEATURE(`local_procmail')dnl
FEATURE(`mailertable')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl
define(`SMART_HOST', `bastion.foo.net')dnl
![Page 19: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/19.jpg)
Internal Sendmail Config, cont.
• /etc/mail/mailertablefoo.net local:
.foo.net local:
• /etc/mail/relay-domainsfoo.net
![Page 20: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/20.jpg)
DMZ Sendmail Configuration
MASQUERADE_AS(`foo.net')dnlFEATURE(`mailertable')dnlFEATURE(`access_db’)dnlMAILER(`smtp')dnldefine(`confRUN_AS_USER', `mail:mail')dnl
define(`confSMTP_LOGIN_MSG', `')dnldefine(`confPRIVACY_FLAGS', `goaway')dnl
![Page 21: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/21.jpg)
DMZ Sendmail Config, cont.
• /etc/mail/mailertablefoo.net smtp:mailhub.foo.net
.foo.net smtp:mailhub.foo.net
• /etc/mail/accessConnect:mailhub.foo.net RELAY
To:foo.net RELAY
![Page 22: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/22.jpg)
Running Sendmail as Non-root User
• Queue should be owned by mail user so that Sendmail can queue mail temporarily
• Otherwise user should have no privileges
![Page 23: DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@ofb.net jheiss@colltech.comjheiss@colltech.com](https://reader030.vdocuments.mx/reader030/viewer/2022032801/56649dd95503460f94ace261/html5/thumbnails/23.jpg)
References
• BIND– Grasshopper (Cricket) book (O’Reilly)
– Building Internet Firewalls (O’Reilly)
– Linux HOWTO
• Sendmail– www.sendmail.org (Configuration Information)
– www.sendmail.net (Good release notes)
– ofb.net/~jheiss/sendmail_proxy.html
– Bat book (O’Reilly)