• About

http://blog.fakrul.com

http://blog.fakrul.com

Tag Archives: DNS

NSD with DNSSEC (Forward & Reverse DNS)

01 Tuesday Nov 2016

Posted by Fakrul Alam in Education, My Work

≈ Leave a comment

Tags

DNS, DNSSEC, NSD

In previous two blogs (1st part &  2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd

Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

zone:
name: “ssh.com.bd”
zonefile: “ssh.com.bd.zone.signed”

5. Now use the ldns-signzone command to sign ssh.com.bd and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \
/etc/nsd/KSK/Kssh.com.bd.+007+22704 \
/etc/nsd/ZSK/Kssh.com.bd.+007+04664 \
-f /etc/nsd/SIGNED/ssh.com.bd.zone.signed

This will create a signed zone file under /etc/nsd/SIGNED folder.

Continue reading →

INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 2)

31 Monday Oct 2016

Posted by Fakrul Alam in Education, My Work

≈ 2 Comments

Tags

bind, DNS, NSD

In this part we will install BIND and secondary name server. For primary name server installation please check INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 1)

1. Update package library and install BIND

sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc

2. All the configuration files are in /etc/bind/ folder. Most of the cases the default options work fine. The only thing I did is add the TSIG key for zone transfer.

3. First create they key file
vi ssh.com.bd-key

key ssh.com.bd-key {
algorithm hmac-md5;
secret "N1aqkdyRDOOM01NYt3Vat3v+QmonX8bsNoSdBUyKNB0=";
};

Make sure you copy the secret properly

4. Add the key in named.conf file

sudo vi named.conf

#TSIG key kompella->martini
include "/etc/bind/ssh.com.bd-key";

server 192.0.2.10 {
keys { ssh.com.bd-key; };
};

5. Add the related zone in named.conf.default-zones file:

zone "ssh.com.bd" IN {
type slave;
file "/var/cache/bind/ssh.com.bd.zone";
masters { 192.0.2.10; };
};

zone "113.0.203.in-addr.arpa" IN {
type slave;
file "/var/cache/bind/203.0.113.zone";
masters { 192.0.2.10; };
};

6. Save and reload BIND service.

sudo /etc/init.d/bind9 restart

7. Test the zone transfer:
dig axfr @192.0.2.10 ssh.com.bd soa -k ssh.com.bd-key

If all are on; you can see all the zone entry.

Continue reading →

Install NSD as Primary DNS Server & BIND as Secondary Name Server (part 1)

31 Monday Oct 2016

Posted by Fakrul Alam in My Work

≈ 7 Comments

Tags

bind, DNS, NSD

NSD is an authoritative only, memory efficient, highly secure and simple to configure open source domain name server. In most of the cases we use BIND as our name server (authoritative/caching). But here I will show you how to configure NSD as primary name server and BIND as secondary name server; use two different flavor of DNS.

Primary DNS Server: kompella.ssh.com.bd (192.0.2.10)
Secondary DNS Server: martini.ssh.com.bd (203.0.113.10)

Make sure that hostname (/etc/hostname) has been set properly for both of the servers.

A. Install NSD as primary name server

1. NSD service expects to run as a user called nsd, but the package does not actually create this user account. To avoid an error upon installation, we will create this user before we install the software. On each of your machines, create the nsd system user by typing:

sudo useradd -r nsd

2. Update local package and install nsd.

sudo apt-get update
sudo apt-get install nsd

3. The first thing we should do is make sure all of the SSL keys and certificates that NSD uses to securely communicate between the daemon portion of the application and the controller are generated.

sudo nsd-control-setup

4. The main configuration file for NSD is a file called nsd.conf located in the /etc/nsd directory.

cd /etc/nsd
vi nsd.conf

You can use this sample nsd.conf file : http://pastebin.com/JyNyxZCu

5. Next we forward zone file. It’s the same used to have in BIND: http://pastebin.com/3xaiVkfV

6. Reverse zone file : https://pastebin.com/nFELkTZT

7. Testing the Files and Restarting the Service

Now that we have our master server configured, we can go ahead and test our configuration file and implement our changes. You can check the syntax of the main configuration file by using the included nsd-checkconf tool. Simply point the tool to your main configuration file:

sudo nsd-checkconf /etc/nsd/nsd.conf

After you are able to execute the check cleanly, you can restart the service by typing:

sudo service nsd restart

8. Check the logs to see any messages:

sudo tail -f /var/log/nsd.log

nsd_log.png

Next we will configure BIND and secondary name server. Will use TSIG to securely transfer zone file across the DNS server.

Playing with Open Resolver

04 Sunday Aug 2013

Posted by Fakrul Alam in Uncategorized

≈ Leave a comment

Tags

DNS, Open Resolver, Securing BIND

It’s always recommend to secure your DNS (BIND) and close those Open Resolver. These Open Resolver are used to initiate large scale DDoS attack. I use BIND templates (http://www.cymru.com/Documents/secure-bind-template.html) from Team Cymru site for securing my DNS. Lets have a look what happen if I don’t secure my DNS.

To track my DNS query I have configured bindgraph. Bellow is the output:

image


Usually I have 20/25 queries/second. But there are few spikes where I have 70 queries/second and most of them are ANY query. When I check my DNS query log what I get is really interesting:

04-Aug-2013 14:03:29.694 queries: client 83.69.230.xxx#10962: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.696 queries: client 83.69.230.xxx#31090: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.761 queries: client 83.69.230.xxx#49009: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.761 queries: client 83.69.230.xxx#8803: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.761 queries: client 83.69.230.xxx#34494: view external: query: ietf.org IN ANY +E (103.12.179.12)
04-Aug-2013 14:03:29.826 queries: client 83.69.230.xxx#43246: view external: query: ietf.org IN ANY +E (103.12.179.12)

Source 83.69.230.xxx is querying for ietf.org ANY and sending huge request. Average DNS query size is 64 bytes but if we look at the response it is 4628 bytes. That mean 83.69.230.xxx is amplifying the request by roughly 73 times.

image

So 83.69.230.xxx can launch 1Mbps of DNS query, he can amplify it by 73 times and can send 75Mbps of traffic to ietf.org. Really impressive. That’s why it’s important to secure your DNS.

Social

  • View rapappu’s profile on Twitter
  • View fakrulalam’s profile on LinkedIn
  • View fakrul’s profile on GitHub
  • View FakrulAlamPappu’s profile on Google+
  • View fakrulalam’s profile on Flickr

Twitter Updates

  • 1976 forming the modern-day #Vietnam 1971 #Bangladesh independence When we could see something like this happening… twitter.com/i/web/status/1… 4 days ago
  • The beauty is here #Keychron #K2 Mechanical Keyboard https://t.co/j5OVbpmvKi 5 days ago
  • blog.fitbit.com/2021-update/?u… #fitbit + #google https://t.co/X2g7HpIMvI 1 week ago
  • #DevNet Class of 2020. View my verified achievement from @learningatcisco. youracclaim.com/badges/bf864fa… 1 month ago
  • #pythonprogramminglanguage #python #pyenv towardsdatascience.com/how-to-set-up-… 1 month ago
  • wsj.com/articles/u-s-c… 1 month ago
  • bleepingcomputer.com/news/security/… 1 month ago
  • RT @GinNTTnet: Carriers, Internet-centric businesses and enterprises can prepare themselves to fight against #DDoS attacks. Download this w… 2 months ago
  • #LoRaWAN GPS payload is coming nicely to #AzureIotHub @GlobalNTT @CiscoDevNet #ntthackfest2020 https://t.co/VqYi7dMBoq 2 months ago
  • RT @GinNTTnet: Paolo Lucente @Paolo_Lucente from the #globalipnetwork division at @GlobalNTT will present this Monday Oct 12 at the Next Ho… 3 months ago
  • RT @bdNetOpGroup: Make sure we always "Learning from failures". Wanna know more? Please join bdnog.org/bdnog12/index.…. Because our very own… 3 months ago
  • RT @bdNetOpGroup: #bdNOG12 Panel Discussion: "Social CDN Business : Paid or Free". Make sure you register and join bdnog.org/bdnog12/index.…… 3 months ago
  • RT @teamcymru: #DDoS Attacks Hit 1 Tbps in #2020 #infosec bit.ly/2ZLmAlK https://t.co/Ezx3s5xVcw 4 months ago
  • github.blog/2020-09-10-ann… #msteams #github 4 months ago
  • I just backed Keychron K3 -Ultra-slim Compact Wireless Mechanical Keyboard on @Kickstarter kickstarter.com/projects/keytr… 4 months ago
Follow @rapappu

Tags

antismap antivirus automation Azure bangladesh BASH BASH Script BDCERT bgp bind ccsp centos CentOS mirror CERT CISA cisco Cyber Security ddos dhaka dhakacom DNS DNSSEC GSM intrusion detectoin system Intrusion prevention system ips IPv6 ISACA junos linux Looking Glass lxc lxc profile lxd mailqueue mailscanner Mail Server mailwatch Meraki mikrotik monitor mpls MPLS L3 VPN mysql My Work network network management nginx NSD observium OpenVPN perl PHP ping postfix Proxy PTA python RANCID Reading RPKI Shell Script sms sms server SNMP SSH Tutorial ubuntu Ubuntu Mirror Server Virtual Box vispan vmware websvn Youtube hack খামাখা

Blog at WordPress.com.

Cancel