Establishing secure DNS server

And other large software, BIND (DNS server) because of its size and function of complex and has many problems.

Therefore for BIND vulnerabilities of system intrusion is also a substantial increase in the number, the most serious cases, to obtain the target host for all remote control. Because the DNS server hosts on the network system has a great influence, how to avoid these system intrusion has become crucial. This essay is about how to use chroot () environment on RedHatLinux (or similar systems), establishing a secure BIND8.x server. This article mainly comes from AdamShostack and his article (Solaris version). Step 1: obtain and install the software, please download the ISCFTP BIND of the latest version (the version content in this article BIND8.x tested). To download this article ObtuseSystemFTP required free software: holelogd (and other useful tools). The software used to build chroot environments/dev/log Sockets (socket), thus allowing the syslogd to record named process log. OpenBSD system of syslogd has built this functionality ("syslogd-a/chroot/dev/log"), but the Linux system is not yet implemented this feature. Holelogd software is used to mimic the functionality of OpenBSD. According to the software documentation installed holelogd (usually is installed to the/usr/local/sbin). Second step: tectonic static (static) named and named-xfer binaries compiled and installed, you need to construct an executable statically linked version. As long as the% BIND%/src/port/linux directory Makefile.set files once they have been slightly modified. Modify the contents of the file: ' CDEBUG =-O2-g ' to be replaced by: ' CDEBUG =-O2-static ' switch to BIND source code path, execute "makeclean" and "make" command. In the following step will copy the files to the chroot () directory. This step structure statically linked executable at runtime without having to load the dynamic link library. In chroot () environment, this kind of "independent" executable can avoid missing link library files. It in chroot () environment without any static link library allows the service to configure the simplistic. All other network daemon can compile and use this static link version. Step 3: construct BIND chroot directory as () construct BIND directory. This directory will be chroot () environment is BIND as the system root directory. /Dev/etc/namedb/usr/sbin/var/run need to copy the following files to the appropriate subdirectory under it, and make the necessary processing:/no/etc replication system/etc directory of the named.conf file replication system/etc directory of localtime file (for syslog provide correct named logging time) to create the only contains namedGID/etc/group file/etc/namedb replication system/etc/namedb directory of all the "zone (zone)," database and file/dev mknod./nullc13; chmod666null (please refer to the corresponding version of the mknod command)/usr/sbin replication system% directory and BIND% system%/src/bin/named BIND%/src/bin/named-xfer directory named and named-xfer binaries (statically linked)/var/run no also can specify the logging directory (such as/var/log). Step 4: Add the named user and group in/etc/passwd and add/etc/group file named users and groups. They are DNS server runtime UID/GID. At this point, you can go to the chroot environment "chown-Rnamed.named/etc/namedb" command. So when you send a break signal to the system (kill-INT), named process to save the server cache and statistics. If the directory is the root of all the named process could not write the output to the directory, but will not affect the named server functionality. Another option is to only change the directory permissions (so named users have write permissions), but the owner still is root. This method is feasible, but care must be taken to ensure that other user settings will not modify named records! * ** important warning ** * do not use a pre-existing UID/GID (such as "nobody") running named. Remember to chroot environment using any pre-existing UID/GID that may affect the security of the service. You must cultivate in chroot environment for each daemon provides separate UID/GID. Step five: Edit startup script Linux uses SYSV-style init file, so there are several places you can place commands running named. (MostCases) it is best to place the named initialization script to/etc/rc.d/init.d/named. Where you will find the relevant named start the section content. We need to add and modify some of them. 1, insert a row before running named to start holelogd. Need to provide remote socket holelogd location parameter, which should be in the above step created chrootnameddev directory. The command line as follows: # Startdaemons. echo-n"Staringholelogd:"　　　　daemon/usr/local/sbin/holelogd/chroot/named/dev/log　　　　eco　　　　　　echo-n"Startingnamed:"　　　　　　daemonnamed　　　　　　eco　　　　　　touch/var/lock/subsys/named　　　　　　;; 2, there was also a need to modify the startup parameter BIND. BIND8.x version allows you to specify the run-user ID and group ID, it should also be in the above steps to create a UID in the special/GID: # Startdaemons. echo-n"Staringholelogd:"　　　　　　daemon/usr/local/sbin/holelogd/chroot/named/dev/log　　　　　　eco　　　　　　echo-n"Startingnamed:"　　　　daemon/chroot/named/usr/sbin/named-unamed-gnamed-t/chroot/named　　　　　　eco　　　　　　touch/var/lock/subsys/named　　　　　　;; 3, named "ndc" script can be used to control named. Need to edit this file to add the PID file location from/var/run/named.pid modified to/chroot/named/var/run/named.pid. Step 6: enter the following command to test the server to start the process to enter holelogd/usr/local/sbin/holelogd/chroot/named/dev/log/chroot/named/dev/directory and enter ls-al. You should get output similar to the following: srw-rw-rw-1rootwheel0Jan0112: 00log set "s" bit indicates this is a sockets (socket) file. Chroot () environment named process will pass the socket and syslog traffic. Now enter:/chroot/named/usr/sbin/named-unamed-gnamed-t/chroot/named if everything works, named process starts, the log file will record named server "Readytoanswerqueries.". Make the appropriate DNS tests to ensure that the server work correctly, and then restart the system and verify that all configurations. BIND the normal startup reports its chroot () directory and run the UID/GID. You can use a program like lsof lists hosts all network sockets to be checked. When everything is working correctly, the suggestions will/etc/namedb renamed/etc/namedb.orig or other name, while chmod000/usr/sbin/named, so you can ensure that these old versions of named will not be accidental errors and use. > Source: ISC (InternetSoftwareConsortium) Steinaraug BernhardWeissun Marceuse JanGruber AdamShostack Psionic