Secure Master Slave DNS Server with DNSSEC key in Linux (RHEL/CentOS 7)


Linux

In this article I will share the steps to secure Master Slave DNS server using DNSSEC.

DNSSEC, stands for Domain Name System Security Extensions is cryptographic security applied to DNS. In the DNS hierarchy, it is a good idea to have different name servers within a domain. Like in our case we have master.example.com and slave.example.com.

These name servers will be configured as master and slave name servers, and the master and slave name servers can both be contacted. But normally, it will be the master name server that is the only one where the data can be written to. And from the master name server, there's a process of synchronization which we call zone transfer, which can be triggered by the master, and it can also be requested by the slave name server

Secure Master Slave DNS Server with DNSSEC key in Linux (RHEL/CentOS 7)

 

Security Challenges with DNS Server

  • The first challenge is that spoofing can occur. spoofing means that somebody else pretends to be a valid name server.
  • If this name server is using a forwarder, and the forwarder is spoofed, how do you know that you are working with a spoofed name server? It becomes a little bit more complicated when you are contacting root DNS name servers directly, but also there, the problem does exist.
  • There is compromising the named daemon itself.
  • On a Linux box, DNS is implemented by running bind software, and the bind software comes with a name daemon, which can be compromised.
  • Unauthorized access can be a problem.
  • Within the local DNS name servers, currently, often, information about services that are available within the local environment is published, and you don't want anybody within the environment to be able to access that information.

 

Solutions for these security challenges

  • First, there is DNSSEC. You can secure Master Slave DNS Server using DNSSEC. 
  • DNSSEC is using public, private keys to add signatures to the information that is sent over from a name server.
  • Also, the synchronization process, the zone transfer, can be secured by TSIG, which is also using keys for securing the transfer of information between the name servers that are running locally when they are synchronizing.
  • From within the DNS configuration, you can restrict access, so you can restrict recursion, you can restrict forwarding, you can put restrictions on many items.
  • And if your DNS server is supposed to be used for private environments only, then it's a good idea to use some of these restriction parameters.
  • And there is the option to run the bind process in a chroot deal. The idea of a chroot environment is that the process will just see those directories that it needs to see, and it won't be able to traverse the entire operating system file system hierarchy.

 

 

My Setup Detail

Master DNS Server – 10.0.2.32 (master.example.com)
Slave DNS Server – 10.0.2.31 (slave.example.com)

 

Secure Master Slave DNS Server with DNSSEC

We will concentrate our article to secure Master Slave DNS server using DNSSEC key only so that it does not become a long and boring article. Instead of telling our DNS Master and Slave server about them using various arguments in the configuration file, we will use DNSSEC key.

IMPORTANT NOTE:
Make sure the time is in sync between Master and Slave DNS Server or else you may get "failure trying master XX.XX.XX.XX#53 (source 0.0.0.0#0): clocks are unsynchronized" error.

 

Enable DNSSEC

So the first thing we need to do is make sure DNSSEC is enabled on the master and client DNS Server under /etc/named.conf. Look out for the below value under /etc/named.conf:

dnssec-enable yes;
dnssec-validation yes;

 

Generate Key on Master DNS Server

With DNSSEC you can sign your zone using an encryption key so that using that encryption key you can exchange keys with other DNS servers. Let us generate the security key for our Master DNS Server i.e. master.example.com:

[root@master ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master.example.com
Kmaster.example.com.+157+13540

Here,

-a algorithm   	Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, DSA,
		NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must
		be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
		case insensitive

-b keysize	Specifies the number of bits in the key. 

-n nametype     Specifies the owner type of the key.

This command will generate two types of security key in the current directory.

[root@master ~]# ls -l Kmaster.example.com.+157+13540.*
-rw------- 1 root root  62 Jun 22 19:58 Kmaster.example.com.+157+13540.key
-rw------- 1 root root 165 Jun 22 19:58 Kmaster.example.com.+157+13540.private

Get the key from the *.private file:

[root@master ~]# cat Kmaster.example.com.+157+13540.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: yVisaOhpnWZEGaD4g+DKwg==
Bits: AAA=
Created: 20190622142816
Publish: 20190622142816
Activate: 20190622142816

 

Attach DNS key to named.conf on Master DNS Server

Now to secure Master Slave DNS Server we must edit /etc/named.conf and append the below content:

key master {
    algorithm    hmac-md5;
    secret       "yVisaOhpnWZEGaD4g+DKwg==";
};

Here replace "yVisaOhpnWZEGaD4g+DKwg==" with your key. If you had used a different algorithm to generate the keys then define the same algorithm type here.

Also modify allow-transfer rules with the NS of the Master DNS Server:

allow-transfer  { key master; };

Below is my sample named.conf after all the changes on Master DNS Server

[root@master ~]# cat /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; 10.0.2.32; };
#       listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any; };
        allow-query-cache { localhost; any; };
        allow-transfer  { key master; };
        notify  yes;
        also-notify { 10.0.2.31; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

key master {
    algorithm    hmac-md5;
    secret       "yVisaOhpnWZEGaD4g+DKwg==";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

Modify named.conf on slave DNS server(s)

Next to secure Master Slave DNS Server we need to perform similar modification on all our slaver server's /etc/named.conf, attach the DNS secure key by appending below content in named.conf:

key master {
    algorithm    hmac-md5;
    secret       "yVisaOhpnWZEGaD4g+DKwg==";
};

Here replace "yVisaOhpnWZEGaD4g+DKwg==" with your key. If you had used a different algorithm to generate the dnssec keys then define the same algorithm type here.

Bind the key to the master server:

server 10.0.2.32 {
        keys master;
};

Here replace 10.0.2.32 with the IP and "master" with the NS of your Master DNS Server

Below is my sample named.conf from Slave DNS Server

[root@slave ~]# cat /etc/named.conf
options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any; };
        allow-query-cache { localhost; any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

key master {
    algorithm    hmac-md5;
    secret       "yVisaOhpnWZEGaD4g+DKwg==";
};

server 10.0.2.32 {
        keys master;
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

Verify the Master to Slave Data Replication

Now we are done with the steps to secure Master Slave DNS Server using DNSSEC key so let us validate our configuration:

On Master DNS Server perform some changes in the forward zone file and change the serial number value:

IMPORTANT NOTE:
Make sure you update the serial number  as highlighted every time you modify the zone files or else the slave will fail to get an update.
[root@master ~]# vim /var/named/example.com.zone
$TTL 1D
@       IN SOA  example.com       root (
                                        11      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                IN NS   master
master          IN A    10.0.2.32
localhost       IN A    127.0.0.1
client          IN A    10.0.2.30
slave           IN A    10.0.2.31
test            IN A    10.0.2.33

Next reload the named-chroot service on the master DNS server.

[root@master ~]# systemctl reload named-chroot

Monitor the output of /var/named/data/named.run on Slave DNS Server

[root@slave ~]# tail -f /var/named/data/named.run
Jun 22 23:04:03 slave named[6358]: client 10.0.2.32#4382: received notify for zone 'example.com'
Jun 22 23:04:03 slave named[6358]: zone example.com/IN: Transfer started.
Jun 22 23:04:03 slave named[6358]: transfer of 'example.com/IN' from 10.0.2.32#53: connected using 10.0.2.31#37024
Jun 22 23:04:03 slave named[6358]: zone example.com/IN: transferred serial 11: TSIG 'master'
Jun 22 23:04:03 slave named[6358]: transfer of 'example.com/IN' from 10.0.2.32#53: Transfer completed: 1 messages, 8 records, 323 bytes, 0.003 secs (107666 bytes/sec)

So the data from Master DNS Server was successfully transferred to Slave DNS Server using DNSSEC key.

 

Lastly I hope the steps from the article to secure Master Slave DNS Server using DNSSEC in RHEL/CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment