ShareWiz

ShareWiz Ultra Secure Server Setup

DNS Security

DNS Security

Introduction

DNS (Domain Name System) is one of the core component of web that provides us human friendly domain names, mapped to computer friendly numeric address (called I.P (Internet Protocol) Address).

Each time – when you visit a website – your computer/browser performs a DNS query (searching for IP address for the requested domain name (website you visit)).

By default the server caches DNS results in order to provide fast lookup in future, which is really good, because it’s efficient and saves a lot of resources, but occasiobnally this creates a problem specially when a domain gets a new IP address(s) (or in other words, the server is changed).

Spoofing DNS cache

DNS is a distributed database with a hierarchical structure used to translate the human friendly host names into the IP address, in TCP/IP Networks.

So when a computer wants to communicate with www.sharewiz.net then it first sends a query to the local DNS server and the dns server checks its databases to find the corresponding ip address.

If the local server fails then it tries to communicate with the other remote dns servers, and finally it returns the corresponding IP address to the users computer (If there is no problem on the sharewiz.net servers).

After this event the users computer and local dns server (if failed to resolve) updates its database so that in future it can use that ip address-host name maps without any further queries with the other dns servers.

There are many available methods for spoofing the dns cache but the simple concept is to alter the corresponding map between the host name and IP address in the dns cache of the victim computer or dns server.

Two simple methods to poison the DNS cache

Hacker sends a dns query to the local dns and before the local dns server gets the true result fr0m the remote server, the local dns server is flooded by the fake reply from the hacker, thus the local dns cache gets spoofed.
The hacker poisons the host names by their fake website IP address, so when the user sends the request to the infected dns server, then it maps to the fake website.

The caching has a component called time to live (TTL) and the TTL determines how long a server will cache a piece of information.

top

Install Bind

Issue the following command:

sudo aptitude install bind9

top

Configure Bind

Issue the following command:

sudo vi /etc/bind/named.conf.options

and add 2 DNS servers to use as master servers:

forwarders {

# Replace the address below with a known DNS server

8.8.4.4;

8.8.8.8;

};

The two added DNS servers used as master servers are actually Google's DNS servers.

They are added so that the local server has a source for IP addresses that are not provided for locally.

top

Configure Resolvconf

Issue the following command:

sudo vi /etc/resolvconf/resolv.conf.d/base

and add 2 DNS servers to use as master servers:

domain server1.sharewiz.net

search server1.sharewiz.net

nameserver 8.8.4.4

nameserver 8.8.8.8

nameserver 127.0.0.1

options rotate

Ubuntu now ships with a dynamic resolv.conf manager called resolvconf, which handles editing /etc/resolv.conf for us. Thus, instead of editing /etc/resolv.conf, we can edit /etc/resolvconf/resolv.conf.d/base.

The two added DNS servers used as master servers are actually Google's DNS servers.

They are added so that the local server has a source for IP addresses that are not provided for locally.

top

Restart Resolvconf

To enable the new settings to be recognized, restart Bind.

Issue the following command:

sudo service resolvconf restart

top

Restart Bind

To enable the new settings to be recognized, restart Bind.

Issue the following command:

sudo service bind9 restart

top

Test Bind

Issue the following command:

sudo dig www.google.com

which should show something like:

; <<>> DiG 9.8.1-P1 <<>> www.google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45194

;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:

;www.google.com. IN A

;; ANSWER SECTION:

www.google.com. 84705 IN CNAME www.l.google.com.

www.l.google.com. 300 IN A 74.125.132.103

www.l.google.com. 300 IN A 74.125.132.104

www.l.google.com. 300 IN A 74.125.132.105

www.l.google.com. 300 IN A 74.125.132.106

www.l.google.com. 300 IN A 74.125.132.147

www.l.google.com. 300 IN A 74.125.132.99

;; AUTHORITY SECTION:

. 59063 IN NS c.root-servers.net.

. 59063 IN NS i.root-servers.net.

. 59063 IN NS k.root-servers.net.

. 59063 IN NS h.root-servers.net.

. 59063 IN NS a.root-servers.net.

. 59063 IN NS l.root-servers.net.

. 59063 IN NS j.root-servers.net.

. 59063 IN NS g.root-servers.net.

. 59063 IN NS e.root-servers.net.

. 59063 IN NS d.root-servers.net.

. 59063 IN NS b.root-servers.net.

. 59063 IN NS f.root-servers.net.

. 59063 IN NS m.root-servers.net.

;; Query time: 189 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Mon Jul 9 19:06:52 2012

;; MSG SIZE rcvd: 359

The providing DNS server should be 127.0.0.1. This can be seen in the line near the bottom of the output: SERVER: 127.0.0.1#53(127.0.0.1)

top

Configure Local Bind

Issue the following command:

sudo vi /etc/bind/named.local.options

and populate as follows:

# This is the zone definition. replace server1.sharewiz.net with your domain name

zone "server1.sharewiz.net" {

type master;

file "/etc/bind/zones/server1.sharewiz.net.db";

};

# This is the zone definition for reverse DNS. replace 1.168.192 with your network address in reverse notation . e.g my network address is 192.168.1

zone "1.168.192.in-addr.arpa" {

type master;

file "/etc/bind/zones/rev.1.168.192.in-addr.arpa";

};

top

Restart Bind

Issue the following command:

sudo mkdir -p /etc/bind/zones

top

Create Zone File

Issue the following command:

sudo vi /etc/bind/zones/server1.sharewiz.net.db

and populate as follows:

// replace example.com with your domain name. do not forget the . after the domain name!

// Also, replace ns1 with the name of your DNS server

server1.sharewiz.net. IN SOA admin.server1.sharewiz.net.

// Do not modify the following lines!

2006081401

28800

3600

604800

38400

)

// Replace the following line as necessary:

// ns1 = DNS Server name

// mta = mail server name

// example.com = domain name

server1.sharewiz.net. IN NS admin.server1.sharewiz.net.

server1.sharewiz.net. IN MX 10 mta.server1.sharewiz.net.

// Replace the IP address with the right IP addresses.

www IN A 192.168.1.1

mta IN A 192.168.1.1

admin.server1 IN A 192.168.1.1

top

Create Zone File

Issue the following command:

sudo vi /etc/bind/zones/rev.1.168.192.in-addr.arpa

and populate as follows:

// replace example.com with your domain name, ns1 with your DNS server name.

// The number before IN PTR example.com is the machine address of the DNS server

@ IN SOA server1.sharewiz.net admin.sharewiz.net. (

2006081401;

28800;

604800;

86400

)

IN NS server1.sharewiz.net.

1 IN PTR server1.sharewiz.net

top

Restart Bind

To enable the new settings to be recognized, restart Bind.

Issue the following command:

sudo service bind9 restart

top

Test Bind

Issue the following command:

sudo dig www.google.com

which should show something like:

; <<>> DiG 9.8.1-P1 <<>> www.google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45194

;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:

;www.google.com. IN A

;; ANSWER SECTION:

www.google.com. 84705 IN CNAME www.l.google.com.

www.l.google.com. 300 IN A 74.125.132.103

www.l.google.com. 300 IN A 74.125.132.104

www.l.google.com. 300 IN A 74.125.132.105

www.l.google.com. 300 IN A 74.125.132.106

www.l.google.com. 300 IN A 74.125.132.147

www.l.google.com. 300 IN A 74.125.132.99

;; AUTHORITY SECTION:

. 59063 IN NS c.root-servers.net.

. 59063 IN NS i.root-servers.net.

. 59063 IN NS k.root-servers.net.

. 59063 IN NS h.root-servers.net.

. 59063 IN NS a.root-servers.net.

. 59063 IN NS l.root-servers.net.

. 59063 IN NS j.root-servers.net.

. 59063 IN NS g.root-servers.net.

. 59063 IN NS e.root-servers.net.

. 59063 IN NS d.root-servers.net.

. 59063 IN NS b.root-servers.net.

. 59063 IN NS f.root-servers.net.

. 59063 IN NS m.root-servers.net.

;; Query time: 189 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Mon Jul 9 19:06:52 2012

;; MSG SIZE rcvd: 359

The providing DNS server should be 127.0.0.1. This can be seen in the line near the bottom of the output: SERVER: 127.0.0.1#53(127.0.0.1)

top

Test Bind another way

Issue the following command:

sudo nslookup www.google.com

which should show something like:

Server: 8.8.8.8

Address: 8.8.8.8#53

Non-authoritative answer:

www.google.com canonical name = www.l.google.com.

Name: www.l.google.com

Address: 74.125.132.147

Name: www.l.google.com

Address: 74.125.132.104

Name: www.l.google.com

Address: 74.125.132.106

Name: www.l.google.com

Address: 74.125.132.99

Name: www.l.google.com

Address: 74.125.132.103

Name: www.l.google.com

Address: 74.125.132.105

and now try the same using the local bind9 DNS server:

sudo nslookup www.google.com 127.0.0.1

which should show something like:

Server: 127.0.0.1

Address: 127.0.0.1#53

Non-authoritative answer:

www.google.com canonical name = www.l.google.com.

Name: www.l.google.com

Address: 74.125.132.147

Name: www.l.google.com

Address: 74.125.132.104

Name: www.l.google.com

Address: 74.125.132.106

Name: www.l.google.com

Address: 74.125.132.99

Name: www.l.google.com

Address: 74.125.132.103

Name: www.l.google.com

Address: 74.125.132.105

If the The providing DNS server at 127.0.0.1 does not return successfully, then bind is not working.

An error such as the following indicates that bind is not running, so simply start it and retry:

;; connection timed out; no servers could be reached

top

Install Bind

Issue the following command:

sudo aptitude install nscd

By default, our computer cache DNS results in order to provide fast lookup in future - and that’s really good (because it’s efficient and saves a lot of resources), but some times it creates a problem specially when a domain gets new IP address(s) (or in other words, the server is changed).

In such case the cached result may prevent you from viewing the latest website/app for your domain. So that’s where – flushing the DNS cache results, is mandatory.

There are various ways to clear dns cache in Ubuntu but using nscd (name service cache daemon) is very simple and straightforward (and it works with almost all – commonly used GNU/Linux distributions such as Fedora, Mint, OpenSuse etc).

top

Clear DNS CACHE

Issue the following command:

sudo /etc/init.d/nscd restart

For further help, issue the command sudo nscd -help.

top

ShareWiz Security

Complete coverage of everything that is required for system security

ShareWiz Ultra Secure Server Setup

DNS Security

DNS Security

Introduction

Spoofing DNS cache

Two simple methods to poison the DNS cache

Install Bind

Configure Bind

Configure Resolvconf

Restart Resolvconf

Restart Bind

Test Bind

Configure Local Bind

Restart Bind

Create Zone File

Create Zone File

Restart Bind

Test Bind

Test Bind another way

Install Bind

Clear DNS CACHE

Continue to the DHCP Security...