Friday Sep 10

DNS master-slave Securing zone transfer with TSIG

Attention: open in a new window. PDFPrintE-mail

Written by red_coder Wednesday, 06 January 2010 00:00

User Rating: / 0
PoorBest 

Install bind-chroot on both servers

# yum install bind-chroot

From Primary DNS

# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+50029

The output tells us the name of the file containing our new key: in this case
Kmaster-slave.+157+50029.private. The numbers are the DNSSEC algorithm
(157=HMACMD5), and the key's fingerprint (50029) which will probably be different on your machine

From Kmaster-slave+157.50029.private we will extract the shared key:
# cat Kmaster-slave+157.50029.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: axdafafFTdafaCSDF090DSDs==

The key here is axdafafFTdafaCSDF090DSDs==; this will be different in your file. Keep track of this file;
we will need it for testing our configuration later.



On both the master and slave name server, create a new file called /var/named/chroot/etc/transfer.key with
the following contents:

key "master-slave." {
algorithm hmac-md5;
secret "axdafafFTdafaCSDF090DSDs==";
};

Protect the contents of the transfer.key so only the nameserver can read it and only root can write to it:
# chown root:named /var/named/chroot/etc/transfer.key
# chmod 640 /var/named/chroot/etc/transfer.key
# ln -s /var/named/chroot/etc/transfer.key /etc/transfer.key

In /var/named/chroot/etc/named.conf on both the master and slave server, add the following lines at the very top of the file

include "/etc/transfer.key";

 


On the slave server, prohibit all zone transfer from anywhere. Add the line in to your options block.

options {
allow-transfer { none; };



Slave DNS

# vi /etc/named.conf

Add the following lines

include "/etc/transfer.key";
server 208.67.222.22 {
keys { master-slave.; };
};


On the master server, change the allow-transfer line to your options block so it appears as follows:
# vi /etc/named.conf

include "/etc/transfer.key";
options {
listen-on port 53 { 127.0.0.1; 192.168.1.1; 208.67.222.22; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { localhost; any; };
allow-transfer { key master-slave.; };
allow-notify { 208.67.222.23; };
version "Bind";
};

Now restart both servers

 

Comments 

 
0 #4 MBT Shoes 2010-09-10 15:19
MBT Shoes: www.qcdeals.com/.../ uses Masai barefoot MBT Shoes Uk: www.qcdeals.com/.../ technology,and can help MBT London: www.qcdeals.com/.../ you improve your physical MBT Shoes Sale: www.qcdeals.com/.../ condition. The unique curved [url=http://www.qcdeals.com/timberland-boots-c-1743.html]Timberland Boots
Quote
 
 
0 #3 MBT Shoes 2010-09-10 15:18
MBT Shoes uses Masai barefoot MBT Shoes Uk technology,and can help MBT London you improve your physical MBT Shoes Sale condition. The unique curved Timberland Boots Sale sole works by providing .
Quote
 
 
0 #2 ugg 2010-08-09 17:34
DNS server at your network (multi-subnet) it can also test if the DNS is answering anyones requests or not.
Quote
 
 
0 #1 sysAdmin 2010-07-21 03:30
I've Found a great DNS scanner that can locate any DNS server at your network (multi-subnet) it can also test if the DNS is answering anyones requests or not.
you can get it here: softpedia.com/.../...
Quote
 

Add comment


Security code
Refresh