OPS535-online-L8
Contents
OPS535 Lab 8
Objectives
- Study the responses of DNSSec enabled DNS queries
- Configure an authoritative DNS server to provide DNS responses authenticated with DNSSec.
Pre-Requisites
- Complete Labs 1 through 4
- Access to your own CentOS 8.x VMs at home
- Access to your CentOS 8.x VMs in the OPS535 Virtual Lab
Important Notes
- For Investigation 1 and 2, you need to do it on your own CentOS 8.x VMs at home in order to access the real world root name servers and other authoritative DNS servers. If you do it on your VMs in the OPS535 Virtual Lab, your will not get the expected results as those DNS queries will be block by Seneca Internet Security Policies.
- For Investigation 3, you should do it on your VM2 in the Virtual Lab.
Investigation 1: Performing queries using DNSSec
Perform the following steps on your own pri-dns CentOS 8.x at home:
- Ensure you have bind-utils installed.
- Run the command dig senecacollege.ca
- You should get output similar to the following:
[rchan@pri-dns labs]$ dig senecacollege.ca @1.1.1.1 ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> senecacollege.ca @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33464 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;senecacollege.ca. IN A ;; ANSWER SECTION: senecacollege.ca. 600 IN A 52.60.173.6 senecacollege.ca. 600 IN A 52.24.251.32 senecacollege.ca. 600 IN A 34.243.56.93 ;; Query time: 71 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Tue Mar 30 15:31:49 EDT 2021 ;; MSG SIZE rcvd: 93
- If you did not get the expected output, go back and ensure your machine has network connectivity to the Internet).
- Once you have a response, can you be sure it is reliable?
- Re-run the previous dig command, but this time add +dnssec to request authentication of the results using DNSSec.
[rchan@pri-dns labs]$ dig senecacollege.ca @1.1.1.1 +dnssec ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> senecacollege.ca @1.1.1.1 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8403 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;senecacollege.ca. IN A ;; ANSWER SECTION: senecacollege.ca. 600 IN A 52.24.251.32 senecacollege.ca. 600 IN A 52.60.173.6 senecacollege.ca. 600 IN A 34.243.56.93 ;; Query time: 54 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Tue Mar 30 15:34:45 EDT 2021 ;; MSG SIZE rcvd: 93
- Notice the addition of the flags: do flag (DNSSec Ok, that is the server we queried is willing to perform authentication), but no other difference in output. This information is not authenticated.
- Now we will run a query that does get authenticated:
- Run the following command (again you should get output similar to the following):
[rchan@pri-dns labs]$ dig isc.org @1.1.1.1 +dnssec ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> isc.org @1.1.1.1 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20848 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;isc.org. IN A ;; ANSWER SECTION: isc.org. 60 IN A 149.20.1.66 isc.org. 60 IN RRSIG A 13 2 60 20210414183037 20210315174752 27566 isc.org. XA/axENwkfw6IP3mlRBFNz9TDt/ldecEixafcdUiPMay+4mUQ8D8vUF0 gm1MauongXELJ/Z7F2zv/2nqBmxeEg== ;; Query time: 131 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Tue Mar 30 15:38:05 EDT 2021 ;; MSG SIZE rcvd: 155
- Notice that in addition to the do flag, the answer to this query also has an ad flag (Authenticated Data), along with extra information in the answer itself (the RRSIG record). This result is authenticated.
- If you want to see this result without the DNSSec information, simply re-run the query without the +dnssec request.
Investigation 2: Configuring DNSSec on a Recursive Server
Perform the following steps as root on your co-nfs VM at home:
- Now that you can spot the differences between authenticated and non-authenticated data, it is time to configure your local recursive DNS server to perform authentication when your client machines request it.
- Simply set the dnssec-validation parameter in your /etc/named.conf file to yes (it is already set this way if you didn’t change it in an earlier lab).
- Note that this relies on your server also having the initial key it will use to authenticate the root name servers it communicates with.
- This can be found in /etc/named.root.key.
- These too are included by default when you first install bind. If they are not there, add the following lines to your options statement and restart your service:
include "/etc/named.root.key";
- Make sure your recursive DNS server is configured to be provide recursive answers to other machines in your network, and that it will allow traffic to udp/tcp port 53.
- All of this should have already been done, so long as you followed the instructions in previous labs, and didn’t deliberately break anything.
- Run the following command from one of your other VMs (making sure to use the ip address of your own DNS server):
[rchan@pri-dns labs]$ dig +tcp +dnssec @192.168.49.3 www.isc.org ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> +tcp +dnssec @192.168.49.3 www.isc.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36010 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: b1f53c789d90ba0859c27899606380f06b6af5f84015fff0 (good) ;; QUESTION SECTION: ;www.isc.org. IN A ;; ANSWER SECTION: www.isc.org. 60 IN CNAME dualstack.osff2.map.fastly.net. www.isc.org. 60 IN RRSIG CNAME 13 3 60 20210411023511 20210312021301 27566 isc.org. aFeIoEG41LGZbImJRBoefQpEWLab52AZ5YwvzWDrRhdQlTVVxyVOiRcT fnaq1mZluXtGjMhSwn/Bbtg1varpQw== dualstack.osff2.map.fastly.net. 30 IN A 151.101.126.217 ;; AUTHORITY SECTION: fastly.net. 172800 IN NS ns3.fastly.net. fastly.net. 172800 IN NS ns4.fastly.net. fastly.net. 172800 IN NS ns1.fastly.net. fastly.net. 172800 IN NS ns2.fastly.net. ;; ADDITIONAL SECTION: ns1.fastly.net. 172800 IN A 23.235.32.32 ns2.fastly.net. 172800 IN A 104.156.80.32 ns3.fastly.net. 172800 IN A 23.235.36.32 ns4.fastly.net. 172800 IN A 104.156.84.32 ;; Query time: 1259 msec ;; SERVER: 192.168.49.3#53(192.168.49.3) ;; WHEN: Tue Mar 30 15:50:08 EDT 2021 ;; MSG SIZE rcvd: 367
- Again, note the do and ad flags, along with the RRSIG record (and similar data for the nameservers in the isc.org domain).
- Your server is now able to request DNSSec records from other zones, and authenticate them.
Investigation 3: Configuring DNSSec on an Authoritative Server
Perform the following steps as root on your Vm1:
- Now that you know your nameserver is capable of performing authentication of other domains (so long as they are configured to provide authentication), it is time to set up authentication in your domain.
- First you need ot make sure that the named service is able to modify the zone files, as it will need to do so in order to add the RRSIG records it generates for your. This requires two things:
- The SELinux boolean named_write_master_zones must be set to on to (this should have already been done in a previous lab, and is currently the default setting).
- The named account must have write permission to hte /var/named directory. Again, this is currently the default setting, but double check that it is correct.
- If either of those settings is not configured correctly, fix them now.
- Install the haveged service to generate random values for your system.
- It can be found in the epel-release repo. Install that if you have not already done so.
- You would not have to use this service on a ‘real’ server, but our VMs will not have enough activity to provide normally random data within a reasonable time-frame.
- Start, but do not enable haveged service, as we will not need it on a regular basis. Anytime you need to re-generate the random keys from the next step, simply start the service.
- Next, we will use the dnssec-keygen command to generate two sets of paired keys.
- Create a directory at /etc/named/<yourdomain>-keys
- Making sure you replace <yourdomain> with the name of your domain
- Make sure it has that only root and the named service user can access it.
- cd into that directory so the keys you are about to generate get created there.
- First, to generate the Zone Signing Key (ZSK) that is used to sign individual records (make sure to use your own zone name):
dnssec-keygen -a RSASHA256 -b 1024 <yourzone>
- And to generate the Key Signing Key (KSK) that is used to create an RRSIG for your DNSKEY (the public half of the ZSK):
dnssec-keygen -a RSASHA256 -b 2048 -f KSK <yourzone>
- Note that the algorithm and number of bytes used here are current standards, but may change over time.
- Change the permissions on those files so that only root and the named service can read them.
- Create a directory at /etc/named/<yourdomain>-keys
- There are three parameters for bind that need to be set in order to sign your zones. The first two could be set in the options statement, but the third is only acceptable in a zone statement.
Our machines only have two zone statements (the forward and reverse lookups of your domain), so it won’t make a significant difference where we place them. If your server hosted multiple domains, the placement of these parameters would be something to consider:- Add the following lines to your two zones (again replacing <yourdomain> with the name of your domain):
key-directory “/etc/named/<yourdomain>-keys”; inline-signing yes; auto-dnssec maintain;
- Double check that the value you put in the key-directory parameter matches the directory you created your key files in.
- Make sure the dnssec-enable parameter in /etc/named.conf is set to yes so that your server will provide the extra DNSSec records if a client requests them.
- This is the default value, so unless you took it out, it should already be there.
- Note that this parameter is different from the dnssec-validation parameter which only controls whether or not your server will request those records from other servers when a client asks for them.
- Restart the named service. If you have dynamic DNS set up from the earlier labs, you can use named-journalprint to view the journal files for your zones in order to see the new records.
- In order to confirm that your server will provide the extra records when requested, use the dig command to obtain a zone transfer (including the DNSSec records) from your server:
- Making sure to replace <yourzone> with the name of your zone, and <ip-of-server> with the ip address of your server.
dig AXFR <yourzone> @<ip-of-server>
- Repeat the steps from this investigation so you have a signed copy of your reverse zone too.
- Normally, there would be a few more steps here to create an encrypted copy of your ZSK to provide to your parent zone as a DS record, but we will not be configuring that in this lab.
- Note that this means responses your server provides will not be ‘authenticated data’, and will not have the ad flag.
- You will be performing this final step in the next assignment.
Completing the Lab
Your DNS server is now capable of performing recursive queries using DNSSec when client machines request it. It has also been configured to provide the extra DNSSec records when clients request them. Note that it is not yet truly providing DNSSec answers, as it is not being authenticated through the domain above yours.
Follow the instructions on blackboard to submit the lab.