In this article I will share the steps to secure Master Slave DNS server using DNSSEC.
DNSSEC, stands for Domain Name System Security Extensions is cryptographic security applied to DNS. In the DNS hierarchy, it is a good idea to have different name servers within a domain. Like in our case we have master.example.com
and slave.example.com
.
These name servers will be configured as master and slave name servers, and the master and slave name servers can both be contacted. But normally, it will be the master name server that is the only one where the data can be written to. And from the master name server, there's a process of synchronization which we call zone transfer, which can be triggered by the master, and it can also be requested by the slave name server
Security Challenges with DNS Server
- The first challenge is that spoofing can occur. spoofing means that somebody else pretends to be a valid name server.
- If this name server is using a forwarder, and the forwarder is spoofed, how do you know that you are working with a spoofed name server? It becomes a little bit more complicated when you are contacting root DNS name servers directly, but also there, the problem does exist.
- There is compromising the named daemon itself.
- On a Linux box, DNS is implemented by running bind software, and the bind software comes with a name daemon, which can be compromised.
- Unauthorized access can be a problem.
- Within the local DNS name servers, currently, often, information about services that are available within the local environment is published, and you don't want anybody within the environment to be able to access that information.
Solutions for these security challenges
- First, there is DNSSEC. You can secure Master Slave DNS Server using DNSSEC.
- DNSSEC is using public, private keys to add signatures to the information that is sent over from a name server.
- Also, the synchronization process, the zone transfer, can be secured by TSIG, which is also using keys for securing the transfer of information between the name servers that are running locally when they are synchronizing.
- From within the DNS configuration, you can restrict access, so you can restrict recursion, you can restrict forwarding, you can put restrictions on many items.
- And if your DNS server is supposed to be used for private environments only, then it's a good idea to use some of these restriction parameters.
- And there is the option to run the bind process in a chroot deal. The idea of a chroot environment is that the process will just see those directories that it needs to see, and it won't be able to traverse the entire operating system file system hierarchy.
My Setup Detail
Master DNS Server – 10.0.2.32 (master.example.com)
Slave DNS Server – 10.0.2.31 (slave.example.com)
Secure Master Slave DNS Server with DNSSEC
We will concentrate our article to secure Master Slave DNS server using DNSSEC key only so that it does not become a long and boring article. Instead of telling our DNS Master and Slave server about them using various arguments in the configuration file, we will use DNSSEC key.
XX.XX.XX.XX#53
(source 0.0.0.0#0
): clocks are unsynchronized" error.
Enable DNSSEC
So the first thing we need to do is make sure DNSSEC is enabled on the master and client DNS Server under /etc/named.conf
. Look out for the below value under /etc/named.conf
:
dnssec-enable yes; dnssec-validation yes;
Generate Key on Master DNS Server
With DNSSEC you can sign your zone using an encryption key so that using that encryption key you can exchange keys with other DNS servers. Let us generate the security key for our Master DNS Server i.e. master.example.com
:
[root@master ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master.example.com Kmaster.example.com.+157+13540
Here,
-a algorithm Selects the cryptographic algorithm. For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are case insensitive -b keysize Specifies the number of bits in the key. -n nametype Specifies the owner type of the key.
This command will generate two types of security key in the current directory.
[root@master ~]# ls -l Kmaster.example.com.+157+13540.*
-rw------- 1 root root 62 Jun 22 19:58 Kmaster.example.com.+157+13540.key
-rw------- 1 root root 165 Jun 22 19:58 Kmaster.example.com.+157+13540.private
Get the key from the *.private file:
[root@master ~]# cat Kmaster.example.com.+157+13540.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: yVisaOhpnWZEGaD4g+DKwg==
Bits: AAA=
Created: 20190622142816
Publish: 20190622142816
Activate: 20190622142816
Attach DNS key to named.conf on Master DNS Server
Now to secure Master Slave DNS Server we must edit /etc/named.conf
and append the below content:
key master {
algorithm hmac-md5;
secret "yVisaOhpnWZEGaD4g+DKwg==";
};
Here replace "yVisaOhpnWZEGaD4g+DKwg==" with your key. If you had used a different algorithm to generate the keys then define the same algorithm type here.
Also modify allow-transfer
rules with the NS of the Master DNS Server:
allow-transfer { key master; };
Below is my sample named.conf after all the changes on Master DNS Server
[root@master ~]# cat /etc/named.conf options { listen-on port 53 { 127.0.0.1; 10.0.2.32; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; any; }; allow-query-cache { localhost; any; }; allow-transfer { key master; }; notify yes; also-notify { 10.0.2.31; }; recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; key master { algorithm hmac-md5; secret "yVisaOhpnWZEGaD4g+DKwg=="; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Modify named.conf on slave DNS server(s)
Next to secure Master Slave DNS Server we need to perform similar modification on all our slaver server's /etc/named.conf
, attach the DNS secure key by appending below content in named.conf
:
key master { algorithm hmac-md5; secret "yVisaOhpnWZEGaD4g+DKwg=="; };
Here replace "yVisaOhpnWZEGaD4g+DKwg==" with your key. If you had used a different algorithm to generate the dnssec keys then define the same algorithm type here.
Bind the key to the master server:
server 10.0.2.32 { keys master; };
Here replace 10.0.2.32
with the IP and "master
" with the NS of your Master DNS Server
Below is my sample named.conf
from Slave DNS Server
[root@slave ~]# cat /etc/named.conf options { listen-on port 53 { 127.0.0.1; any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; any; }; allow-query-cache { localhost; any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; key master { algorithm hmac-md5; secret "yVisaOhpnWZEGaD4g+DKwg=="; }; server 10.0.2.32 { keys master; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Verify the Master to Slave Data Replication
Now we are done with the steps to secure Master Slave DNS Server using DNSSEC key so let us validate our configuration:
On Master DNS Server perform some changes in the forward zone file and change the serial number value:
[root@master ~]# vim /var/named/example.com.zone
$TTL 1D
@ IN SOA example.com root (
11 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS master
master IN A 10.0.2.32
localhost IN A 127.0.0.1
client IN A 10.0.2.30
slave IN A 10.0.2.31
test IN A 10.0.2.33
Next reload the named-chroot
service on the master DNS server.
[root@master ~]# systemctl reload named-chroot
Monitor the output of /var/named/data/named.run
on Slave DNS Server
[root@slave ~]# tail -f /var/named/data/named.run Jun 22 23:04:03 slave named[6358]: client 10.0.2.32#4382: received notify for zone 'example.com' Jun 22 23:04:03 slave named[6358]: zone example.com/IN: Transfer started. Jun 22 23:04:03 slave named[6358]: transfer of 'example.com/IN' from 10.0.2.32#53: connected using 10.0.2.31#37024 Jun 22 23:04:03 slave named[6358]: zone example.com/IN: transferred serial 11: TSIG 'master' Jun 22 23:04:03 slave named[6358]: transfer of 'example.com/IN' from 10.0.2.32#53: Transfer completed: 1 messages, 8 records, 323 bytes, 0.003 secs (107666 bytes/sec)
So the data from Master DNS Server was successfully transferred to Slave DNS Server using DNSSEC key.
Lastly I hope the steps from the article to secure Master Slave DNS Server using DNSSEC in RHEL/CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.