bind part 2
play

BIND Part 2 pschiu Computer Center, CS, NCTU BIND Configuration - PowerPoint PPT Presentation

Mar 03, 2024 •116 likes •753 views

BIND Part 2 pschiu Computer Center, CS, NCTU BIND Configuration named.conf view (1) q The "view" statement Create a different view of DNS naming hierarchy for internal machines Restrict the external view to few well-known

  1. BIND Part 2 pschiu

  2. Computer Center, CS, NCTU BIND Configuration – named.conf view (1) q The "view" statement • Create a different view of DNS naming hierarchy for internal machines Ø Restrict the external view to few well-known servers Ø Supply additional records to internal users • Also called "split DNS" • In-order processing Ø Put the most restrictive view first • All-or-nothing Ø All zone statements in your named.conf file must appear in the content of view 2

  3. Computer Center, CS, NCTU BIND Configuration – named.conf view (2) • Syntax view view-name { match_clients {address_match_list}; view_options; zone_statement; }; • Example view "internal" { match-clients { our_nets; }; recursion yes; zone "cs.nctu.edu.tw" { type master; file "named-internal-cs"; }; }; view "external" { match-clients { any; }; recursion no; zone "cs.nctu.edu.tw" { type master; file "named-external-cs"; }; 3 };

  4. Computer Center, CS, NCTU BIND Configuration – named.conf controls q The "controls" statement • Specify how the named server listens for control message • Syntax controls { inet ip_addr allow {address_match_list} keys {key-id;}; }; key "rndc_key" { • Example: algorithm hmac-md5; secret "GKnELuie/G99NpOC2/AXwA=="; }; include "/etc/named/rndc.key"; controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { rndc_key; }; } SYNOPSIS rndc [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command} 4

  5. Computer Center, CS, NCTU Updating zone files q Master • Edit zone files Ø Serial number Ø Forward and reverse zone files for single IP • Do “rndc reload” Ø “notify” is on, slave will be notify about the change Ø “notify” is off, refresh timeout, or do “rndc reload” in slave q Zone transfer • DNS zone data synchronization between master and slave servers • AXFR (all zone data are transferred at once, before BIND8.2) • IXFR (incremental updates zone transfer) • TCP port 53 5

  6. Computer Center, CS, NCTU Non-byte boundary (1) q In normal reverse configuration: • named.conf will define a zone zone "1.168.192.in-addr.arpa." { statement for each reverse type master; subnet zone and file "named.rev.1"; allow-query {any;}; • Your reverse db will contains allow-update {none;}; lots of PTR records allow-transfer {localhost;}; • Example: }; $TTL 3600 $ORIGIN 1.168.192.in-addr.arpa. @ IN SOA lwhsu.csie.net lwhsu.lwhsu.csie.net. ( 2007050401 ; Serial 3600 ; Refresh 900 ; Retry 7D ; Expire 2H ) ; Minimum IN NS ns.lwhsu.csie.net. 254 IN PTR ns.lwhsu.csie.net. 1 IN PTR www.lwhsu.csie.net. 2 IN PTR ftp.lwhsu.csie.net. … 6

  7. Computer Center, CS, NCTU Non-byte boundary (2) q What if you want to delegate 192.168.2.0 to another sub-domain • Parent Ø Remove forward db about 192.168.2.0/24 network – Ex: pc1.lwhsu.csie.net. IN A 192.168.2.35 pc2.lwhsu.csie.net. IN A 192.168.2.222 … Ø Remove reverse db about 2.168.192.in-addr.arpa – Ex: 35.2.168.192.in-addr.arpa. IN PTR pc1.lwhsu.csie.net. 222.2.168.192.in-addr.arpa. IN PTR pc2.lwhsu.csie.net. … Ø Add glue records about the name servers of sub-domain – Ex: in zone db of “lwhsu.csie.net” sub1 IN NS ns.sub1.lwhsu.csie.net. ns.sub1 IN A 192.168.2.1 – Ex: in zone db of “168.192.in-addr.arpa.” 2 IN NS ns.sub1.lwhsu.csie.net. ns.sub1 IN A 192.168.2.1 7

  8. Computer Center, CS, NCTU Non-byte boundary (3) q What if you want to delegate 192.168.3.0 to four sub-domains (a /26 network) • 192.168.3.0 ~ 192.168.3.63 Ø ns.sub1.lwhsu.csie.net. • 192.168.3.64 ~ 192.168.3.127 Ø ns.sub2.lwhsu.csie.net. • 192.168.3.128 ~ 192.168.3.191 Ø ns.sub3.lwhsu.csie.net. • 192.168.3.192 ~ 192.168.3.255 Ø ns.sub4.lwhsu.csie.net. q It is easy for forward setting • In zone db of lwhsu.csie.net Ø sub1 IN NS ns.sub1.lwhsu.csie.net. Ø ns.sub1 IN A 1921.68.3.1 Ø sub2 IN NS ns.sub2.lwhsu.csie.net. Ø ns.sub2 IN A 192.168.3.65 Ø … 8

  9. Computer Center, CS, NCTU Non-byte boundary (4) q Non-byte boundary reverse setting • Method1 $GENERATE 0-63 $.3.168.192.in-addr.arpa. IN NS ns.sub1.lwhsu.csie.net. $GENERATE 64-127 $.3.168.192.in-addr.arpa. IN NS ns.sub2.lwhsu.csie.net. $GENERATE 128-191 $.3.168.192.in-addr.arpa. IN NS ns.sub3.lwhsu.csie.net. $GENERATE 192-255 $.3.168.192.in-addr.arpa. IN NS ns.sub4.lwhsu.csie.net. And zone “ 1.3.168.192.in-addr.arpa. ” { type master; file “ named.rev.192.168.3.1 ” ; }; ; named.rev.192.168.3.1 @ IN SOA sub1.lwhsu.csie.net. root.sub1.lwhsu.csie.net. (1;3h;1h;1w;1h) IN NS ns.sub1.lwhsu.csie.net. 9

  10. Computer Center, CS, NCTU Non-byte boundary (5) • Method2 $ORIGIN 3.168.192.in-addr.arpa. $GENERATE 1-63 $ IN CNAME $.0-63.3.168.192.in-addr.arpa. 0-63.3.168.192.in-addr.arpa. IN NS ns.sub1.lwhsu.csie.net. $GENERATE 65-127 $ IN CNAME $.64-127.3.168.192.in- addr.arpa. 64-127.3.168.192.in-addr.arpa. IN NS ns.sub2.lwhsu.csie.net. $GENERATE 129-191 $ IN CNAME $.128-191.3.168.192.in-addr.arpa. 128-191.3.168.192.in-addr.arpa. IN NS ns.sub3.lwhsu.csie.net. $GENERATE 193-255 $ IN CNAME $.192-255.3.168.192.in-addr.arpa. 192-255.3.168.192.in-addr.arpa. IN NS ns.sub4.lwhsu.csie.net. zone “0-63.3.168.192.in-addr.arpa.” { type master; file “named.rev.192.168.3.0-63”; }; ; named.rev.192.168.3.0-63 @ IN SOA sub1.lwhsu.csie.net. root.sub1.lwhsu.csie.net. (1;3h;1h;1w;1h IN NS ns.sub1.lwhsu.csie.net. 1 IN PTR www.sub1.lwhsu.csie.net. 2 IN PTR abc.sub1.lwhsu.csie.net. … 10

  11. BIND Security

  12. Computer Center, CS, NCTU Security – named.conf security configuration q Security configuration Feature Config. Statement comment allow-query options, zone Who can query allow-transfer options, zone Who can request zone transfer allow-update zone Who can make dynamic updates blackhole options Which server to completely ignore bogus server Which servers should never be queried 12

  13. Computer Center, CS, NCTU Security – With TSIG (1) q TSIG (Transaction SIGnature) • Developed by IETF (RFC2845) • Symmetric encryption scheme to sign and validate DNS requests and responses between servers • Algorithm in BIND9 Ø HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC- SHA384, HMAC-SHA512 • Usage Ø Prepare the shared key with dnssec-keygen Ø Edit “ key ” statement Ø Edit “ server ” statement to use that key Ø Edit “ zone ” statement to use that key with: – allow-query – allow-transfer – allow-update 13

  14. Computer Center, CS, NCTU Security – With TSIG (2) TSIG example (dns1 with dns2) q 1. % dnssec-keygen – a HMAC-MD5 – b 128 – n HOST cs % dnssec-keygen -a HMAC-MD5 -b 128 -n HOST cs % cat Kcs.+157+35993.private Kcs.+157+35993 Private-key-format: v1.2 % cat Kcs.+157+35993.key Algorithm: 157 (HMAC_MD5) cs. IN KEY 512 3 157 oQRab/QqXHVhkyXi9uu8hg== Key: oQRab/QqXHVhkyXi9uu8hg== 2. Edit /etc/named/dns1-dns2.key key dns1-dns2 { algorithm hmac-md5; secret “ oQRab/QqXHVhkyXi9uu8hg== ” }; 3. Edit both named.conf of dns1 and dns2 – Suppose dns1 = 140.113.235.107 dns2 = 140.113.235.103 include “dns1-dns2.key” include “dns1-dns2.key” server 140.113.235.103 { server 140.113.235.107 { keys {dns1-dns2;}; keys {dns1-dns2;}; }; }; 14

  15. Computer Center, CS, NCTU Security – With TSIG (3) 15

  16. Computer Center, CS, NCTU Security – Securing zone transfer q Securing zone transfer with ACL zone “example.com” in { type master; file “host”; allow-transfer { trusted; 192.168.10.2; }; }; 16

  17. Computer Center, CS, NCTU Security – Securing zone transfer q Securing zone transfer with Key ( Master ) 17

  18. Computer Center, CS, NCTU Security – Securing zone transfer q Securing zone transfer with TSIG ( Slave ) 18

  19. Computer Center, CS, NCTU Security – Securing dynamic update q Securing dynamic update with ACL 19

  20. Computer Center, CS, NCTU Security – Securing dynamic update q Securing dynamic update with TSIG 20

  21. Computer Center, CS, NCTU Security - Attck q Cache poisoning q Recursion Denied of Service Attacks q Reflection/Amplification Attacks q Zone Transfer Attacks q Buffer Overflow Attacks 21

  22. Computer Center, CS, NCTU Security – Cache poisoning ❑ A Normal Resolving Process 22

  23. Computer Center, CS, NCTU Security – Cache poisoning q DNS packet on the wire 23

  24. Computer Center, CS, NCTU Security – Cache poisoning q Query from resolver to NS 24

  25. Computer Center, CS, NCTU Security – Cache poisoning 25

  26. Computer Center, CS, NCTU Security – Cache poisoning 26

  27. Computer Center, CS, NCTU Security – Cache poisoning Bailiwick checking: response is cached if it i within the same domain of query (a.com cannot set NS for b.com) 27

  28. Computer Center, CS, NCTU Security – Cache poisoning Guessing Query ID 28

  29. Computer Center, CS, NCTU Security – Cache poisoning Flooding 29

  30. Security Computer Center, CS, NCTU – Cache poisoning q Easier to understand • https://www.checkpoint.com/defense/advisories/public/d nsvideo/ 30

Recommend

The BIND Software Computer Center, CS, NCTU BIND BIND the Berkeley Internet Name Domain

The BIND Software Computer Center, CS, NCTU BIND BIND the Berkeley Internet Name Domain

The BIND Software Computer Center, CS, NCTU BIND BIND the Berkeley Internet Name Domain system Three main versions BIND 4 Announced in 1980s Based on RFC 1034, 1035 BIND 8 Released in 1997 Improvements

917 views • 76 slides
BIND configuration Computer Center, CS, NCTU BIND BIND the Berkeley Internet Name

BIND configuration Computer Center, CS, NCTU BIND BIND the Berkeley Internet Name

BIND configuration Computer Center, CS, NCTU BIND BIND the Berkeley Internet Name Domain system Main versions BIND4 Announced in 1980s Based on RFC 1034, 1035 Deprecated in 2001 BIND8 Released in 1997

765 views • 72 slides
BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND

BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND

BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND support subscriptions BIND is the Swiss Army Education, knife of DNS software. 3% It is intended to work for TLD, 11% any use case

419 views • 6 slides
BIND 9 & BIND10 Joo Damas 1 Monday, 25 June 12 What is BIND? The DNS reference

BIND 9 & BIND10 Joo Damas 1 Monday, 25 June 12 What is BIND? The DNS reference

BIND 9 & BIND10 Joo Damas 1 Monday, 25 June 12 What is BIND? The DNS reference implementation Open Source Software 2 Monday, 25 June 12 Reference implementation Follows and implements protocol standards Often used to

95 views • 9 slides
Embellishing Group C ON CERTINA BRO CHURE ` Concertina Bind is a revolutionary and stunning

Embellishing Group C ON CERTINA BRO CHURE ` Concertina Bind is a revolutionary and stunning

Embellishing Group C ON CERTINA BRO CHURE ` Concertina Bind is a revolutionary and stunning Embellishing Group Embellishing Group Concertina Bind Concertina Bind binding technique resulting in a product that features uninterrupted spreads

332 views • 21 slides
Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial as people will

690 views • 41 slides
A-list example -> (find Building ((Course 105) (Building Robinson) (Instructor

A-list example -> (find Building ((Course 105) (Building Robinson) (Instructor

A-list example -> (find Building ((Course 105) (Building Robinson) (Instructor Fisher))) Robinson -> (val ksf (bind Office Halligan-242 (bind Courses (105) (bind Email comp105-staff ())))) ((Email

250 views • 22 slides
BIND 9 The Past, The Present and The Future Ond ej Sur @ ISC FOSDEM 2018, Brussels

BIND 9 The Past, The Present and The Future Ond ej Sur @ ISC FOSDEM 2018, Brussels

BIND 9 The Past, The Present and The Future Ond ej Sur @ ISC FOSDEM 2018, Brussels BIND 9.0: The Past First released in 2000 Other things from 2000: gcc 2.95.2 Linux kernel 2.4.0 GNOME 1.2 Qt 2.0 Window 2000

802 views • 15 slides
DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya Upgrading BIND Why

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya Upgrading BIND Why

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya Upgrading BIND Why Upgrade? Almost all software has bugs Although BIND 9 is much more conservative than previous versions, it is not immune to software defects

906 views • 21 slides
SSL -Absicherung mittels DANE und Sicheres DNSSEC mit Bind 9.x Linux hchstpersnlich.

SSL -Absicherung mittels DANE und Sicheres DNSSEC mit Bind 9.x Linux hchstpersnlich.

Dynamisches DNSSEC mit Bind 9.x Peer Heinlein <p.heinlein@heinlein-support.de> SSL -Absicherung mittels DANE und Sicheres DNSSEC mit Bind 9.x Linux hchstpersnlich. Dynamisches DNSSEC mit Bind 9.x Peer Heinlein

847 views • 66 slides
Overlapping Clustering Models, and One (class) SVM to Bind Them All Xueyu Mao Department of

Overlapping Clustering Models, and One (class) SVM to Bind Them All Xueyu Mao Department of

Overlapping Clustering Models, and One (class) SVM to Bind Them All Xueyu Mao Department of Computer Science The University of Texas at Austin Neural Information Processing Systems December 6, 2018 Joint work with Purnamrita Sarkar and Deepayan

360 views • 8 slides
[T HREAD S AFETY ] Threads have you in a bind? With Objects and Concurrency at play Are nerves

[T HREAD S AFETY ] Threads have you in a bind? With Objects and Concurrency at play Are nerves

CS455: Introduction to Distributed Systems [Spring 2020] Dept. Of Computer Science , Colorado State University CS 455: I NTRODUCTION T O D ISTRIBUTED S YSTEMS [T HREAD S AFETY ] Threads have you in a bind? With Objects and Concurrency at play Are

674 views • 24 slides
DNS Firewalls with BIND: ISC RPZ and the IID Approach Tuesday, 26 June 2012 1 About the

DNS Firewalls with BIND: ISC RPZ and the IID Approach Tuesday, 26 June 2012 1 About the

DNS Firewalls with BIND: ISC RPZ and the IID Approach Tuesday, 26 June 2012 1 About the Presenters Paul Vixie Rod Rasmussen Chairman and Founder President and CTO Internet Systems Consortium IID (Internet Identity) 2 Logistics

727 views • 31 slides
Synchronization Protocols End-to-End Scheduling Framework 1. Task allocation: bind tasks to

Synchronization Protocols End-to-End Scheduling Framework 1. Task allocation: bind tasks to

Task Allocation End-to-End Scheduling Framework Bin-Packing Heuristics: First-Fit 1. Task allocation: bind tasks to processors Subtasks assigned in arbitrary order 2. Synchronization protocol: enforce To allocate a new subtask T i,j

437 views • 5 slides
That Bind a Nation: Union Pacific Paul Marcinko Network, Economic & Industrial Development

That Bind a Nation: Union Pacific Paul Marcinko Network, Economic & Industrial Development

The Ties That Bind a Nation: Union Pacific Paul Marcinko Network, Economic & Industrial Development Group 1 Building America for more than 150 Years 2 Seattle Eastport Duluth Portland Twin Cities 2017 Chicago Fast Facts Omaha

90 views • 7 slides
Initialize (TCP Server bind addr) int sd; struct sockaddr_in sin; Computer Networks if ((sd =

Initialize (TCP Server bind addr) int sd; struct sockaddr_in sin; Computer Networks if ((sd =

Initialize (TCP Server bind addr) int sd; struct sockaddr_in sin; Computer Networks if ((sd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("opening TCP socket"); abort(); } memset(&sin, 0, sizeof (sin)); Lecture 3

87 views • 7 slides
draft-soliman-monami6-flow-bind Hesham@qualcomm.com Objective To be able to transfer flow

draft-soliman-monami6-flow-bind Hesham@qualcomm.com Objective To be able to transfer flow

draft-soliman-monami6-flow-bind Hesham@qualcomm.com Objective To be able to transfer flow binding rules between MN/MR and HA/CN/MAP Aggregate flows in one BU (use of MCoA) Operation Home Agent - Create flow bindings inputs at the MN/MR

244 views • 12 slides
Theoretical Biology 2016 Transcription factors bind DNA to block or enhance transcription

Theoretical Biology 2016 Transcription factors bind DNA to block or enhance transcription

Chapter 7 Gene regulation Theoretical Biology 2016 Transcription factors bind DNA to block or enhance transcription From Campbell DNA makes RNA makes protein Golding et al. Cell 2005 d M d P d t = lM P d t = c dM and mRNA

458 views • 23 slides
SPARQL Part III Jan Pettersen Nytun, UiA 1 S Agenda O P Example with: - ORDER BY -

SPARQL Part III Jan Pettersen Nytun, UiA 1 S Agenda O P Example with: - ORDER BY -

SPARQL Part III Jan Pettersen Nytun, UiA 1 S Agenda O P Example with: - ORDER BY - SUM Example continues with: - GROUP BY - GROUP BY together with SUM Example continues with: - HAVING - BIND - CONCAT New example with:

1.12k views • 67 slides
THROUGH BUILDING TIES THAT BIND: SNAPSHOT THOUGHTS FROM THE TML- GLOBAL CHALLENGES PROJECT Dr

THROUGH BUILDING TIES THAT BIND: SNAPSHOT THOUGHTS FROM THE TML- GLOBAL CHALLENGES PROJECT Dr

TACKLING GLOBAL CHALLENGES THROUGH BUILDING TIES THAT BIND: SNAPSHOT THOUGHTS FROM THE TML- GLOBAL CHALLENGES PROJECT Dr Nelson Mlambo University of Namibia Transnationalizing Modern Languages Global Challenges: Co-researcher

300 views • 9 slides
The ties that bind: Dynamics in open adoption Naomi Hesseling-Green Open Adoption The planned

The ties that bind: Dynamics in open adoption Naomi Hesseling-Green Open Adoption The planned

The ties that bind: Dynamics in open adoption Naomi Hesseling-Green Open Adoption The planned and conscious maintaince of links between those who are adopted and their original family networks (Ryburn, 1994, p.3) Sharing of Ongoing

294 views • 25 slides
THE BENEFITS OF YOGA maya parish yoga www.mayaparish.com YUJIR YOGA To Unite, To Bind, To Yoke

THE BENEFITS OF YOGA maya parish yoga www.mayaparish.com YUJIR YOGA To Unite, To Bind, To Yoke

THE BENEFITS OF YOGA maya parish yoga www.mayaparish.com YUJIR YOGA To Unite, To Bind, To Yoke YUJ SAMADHAU To Concentrate BHAKTI YOGA JNANA YOGA KARMA YOGA HATHA YOGA INCREASED FLEXIBILITY Eases & Prevents Aches and Pains, Reduces

584 views • 25 slides
Oxygen-Binding Proteins Myoglobin, Hemoglobin, Cytochromes bind O 2 . Oxygen is

Oxygen-Binding Proteins Myoglobin, Hemoglobin, Cytochromes bind O 2 . Oxygen is

Oxygen-Binding Proteins Myoglobin, Hemoglobin, Cytochromes bind O 2 . Oxygen is transported from lungs to various tissues via blood in association with hemoglobin In muscle, hemoglobin gives up O 2 to myoglobin which has a higher

382 views • 12 slides
1 2 http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1- bind-zone.html 5

1 2 http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1- bind-zone.html 5

1 2 http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1- bind-zone.html 5 6 7 8 9 10 11 12 13 14 The sponsor of the TLD is responsible to develop of policies, ensure transparency and accountability in its

772 views • 54 slides

More recommend