Securing Zone Transfers

An important aspect of DNS server configuration is securing zone transfers. On an unsecured DNS server, anyone can do a zone transfer. To limit the hosts that can do a zone transfer, you can use the allow-transfer option in the configuration of the master zone file. This option can take two parameters: the IP address of a host that is allowed to do zone transfer and an encryption key. Since IP addresses can be forged, using encryption keys is the more secure solution. To use an encryption key, you need to generate the key first. Next, you have to copy it to the configuration file on both servers. Once copied on both, the slave server can send a signed request to do zone transfer; since signed requests have to use the proper key, only hosts that have the key can do a zone transfer from that moment. The following procedure explains how to configure this:

1. Use the ndssec-keygen command to generate the key. To do this, enter the following command on either server: dnssec-keygen -a HMAC-MD5 -b 256 -n HOST zonetransfer. In this command, the -a option specifies the type of encryption that should be used. -b 256 indicates that a 256 bits key must be created. -n HOST tells the command that the key it should create is going to be used as a host key, and dnskey is the name that is given to the file that this command will create; you can choose any name you like for the filename. As the output, the command will generate a file of which the name is echoed on the next line; see Listing 23-5.

Listing 23-5. Creating DNS Security Keys

BTN:~ # dnssec-keygen -a HMAC-MD5 -b 256 -n HOST dnskey Kdnskey.+157+55660

2. As the result of the previous command, two files are created. One has the name Kdnskey.+157+55660.key; the other has the name Kzonetransfer.+157+55660.private. Of these, the .key file contains the DNS key you have to include. The private key (which is not really a private key) contains the same key and some additional information on the algorithm that has been used when creating the key. Use the cat command on either one of these files to show the contents of the key file (see Listing 23-6).

Listing 23-6. Showing the Contents of the Key File BTN:~ # cat Kdnskey.+157+55660.key dnskey. IN KEY 512 3 157 Cdk1If9CZnZNS9HnzDaAn+s/0PtV1A0xbXyv65Yq8H4=

3. Now first edit the /etc/named.conf file on the master server to add the key information. Listing 23-7 shows the relevant parts. Note that the example just adds the allow-transfer parameter for the example.com zone; make sure it is included on all domains that you want to secure with this key. Also, make sure the configuration file /etc/named.conf is readable by root only. Otherwise, unauthorized people could steal your key.

Listing 23-7. Including Key Information in the Master's named.conf File options {

key dnskey {

algorithm HMAC-MD5;

secret "Cdk1If9CZnZNS9HnzDaAn+s/0PtV1A0xbXyv65Yq8H4=";

zone "example.com" in { type master;

file "master/example.com"; allow-transfer { key dnskey;

4. Lastly, the named.conf file on the slave server needs some tuning as well. First, it needs the same section to define the key. Second, it needs a section where it specifies that if it tries to do a zone transfer with your particular master server, it should use this key. You can accomplish this by including the code shown in Listing 23-8 in the named.conf file for the slave server.

Listing 23-8. Tuning named.conf on the Slave Server for Use of the Encryption Key options{

key dnskey {

algorithm HMAC-MD5;

secret "Cdk1If9CZnZNS9HnzDaAn+s/0PtV1A0xbXyv65Yq8H4=";

dnskey;

You now can start a zone transfer from the slave server. Do this by just restarting the DNS server (rcnamed restart). Then check whether the zone files are created (or updated) in /var/lib/ named/slave on the slave server, or see whether any tsig-related errors occur in /var/log/messages, indicating that it doesn't work.

Tip Don't forget to protect your slave name servers against illegal zone transfers, because ordinarily you can do a zone transfer on a slave server as well.To do this, include the allow-transfer {none;}; option in the options of the slave server.

Was this article helpful?

0 0

Post a comment