Homelab - Configure DNSSEC on CentOS7
For my next project I decided to configure DNSSEC to my local DNS which is documented in my previous post. Don’t ask me why I chose to setup DNSSEC in a non public facing Authoritative Caching DNS, why we do anything in the first place right ? :relieved:
Honestly, it sounded like an interesting configuration and I was really curious on how this implementation is securing DNS Data. So let’s start!
DNSSEC stands for Domain Name System Security Extension and strengthens DNS authentication by using digital signatures based on public key cryptography. In order to understand why DNSSEC is needed you must have a good idea of how DNS is working and you can find a basic introduction here or a very detailed one all around the internet.
DNSSEC was introduced due to the fact that when DNS was designed in the 80’s there was not so much discussion going on over security. With DNSSEC enabled, it’s the actual DNS data that are cryptographically signed by the zone owner and every DNS zone gets it’s own pair of public/private key. The private key is used to sign the zone and it is kept secret unlike public key which is appended in the zone so that anyone can retrieve and validate the authenticity.
The most common example of why DNS security is nowadays more than needed is the “man in the middle attack” where an infected server, not with the flu of course but by poisoning ( like this is more helpful :astonished: ) , is sending us to a malicious website that looks like our web banking but it actually isn’t. This is called Spoofing ( a.k.a DNS Cache Poisoning).
I won’t go into more details on the different files and signatures introduced in DNSSEC like RRSIG, NSEC etc. because as I keep saying there are tons of great tutorials that those files are explained and I will go straight to documenting my own DNSSEC configuration.
Enough said about DNSSEC, time to roll up our sleaves and do the actual work!
We’ve already configured our own DNS server and in CentOS7 our zone files should be located in /var/named/ which is the default path. This folder should have at least two files:
- FWD Zone: homelab.home.zone
- REV Zone: 0.0.10.in-addr.arpa
Let’s now create a Zone Signing public/private key (ZSK) pair for both forward and reverse zone. Inside the default path located in /var/named/ run:
Let’s move on by creating the Key Signing Key(KSK) pair,
Our directory should now have 4 keys, 1 public/private ZSK pair and a KSK one. Now to force our zones use DNSSEC we have to add the public keys, which contains DNSKEY record, to both forward and reverse zone files. As we said earlier only the public keys should be appended and not the private ones:
Open your zones and take a look to the keys added at the end!
Finally let’s sign the zones by using dnssec-signzone command,
As a result of the above commands 2 more files are now present with .signed extension in our default path.
Master Configuration File
Now that we have our signed zones we need to enable DNSSEC in the master configuration file and use the newly ones instead of the old zone names.
Open /etc/named.conf and add these three line in the options block:
and in the zone section replace the old non signed ones with the .signed zones.
In order to activate the new configuration we have to restart bind
Now let’s query our DNS and check the response. We will use the +rrcomments instead of +multi that was introduced in BIND 9.9.
If everything is configured correctly we should receive a reply which looks like:
If for any reason DNSSEC isn’t configured correctly then we will get a SERVFAIL return code status without any DNS data.
(Semi)Automatic Zone Signing
So we need a way to do as less manual work as possible. In my previous local DNS configuration post I didn’t document how to reload fwd or rev zones after adding new domain entries because I wanted to introduce the scripts that I’ve put together after searching around the internet.
I’m using 2 simple scripts that will handle the serial number increment and the zone signing. We still have to edit the zones and manually add our entries but another script will follow in later posts that will also automate this task.
Those scripts need two parameters in order to run successfully,
I will edit my fwd zone and add an entry for my homelab NAS. I won’t make any change in the serial number so as to check if the script will do the work for me..
Let’s run our script and take a look at the output.
Success! Our serial key is incremented by 1 , our forward zone is reloaded without any problems and our new entry is reachable. :man_dancing:
Let me point out here that in a real world scenario you will probably want to also increment year,day and month and not only the number of changes done in the file but again the format of the serial number is flexible and sysadmins treat it differently.
Also in a production environement a cron should be configured to sign the zones every 3-4 days in order to prevent any attempt of recomputing the hashed information of a zone file (Zone Walking).
For example if you want to sign your zones every 4 days,then you have to add this lines in your crontab file
The benefits of DNSSEC will not be able to have the complete effect unless all DNS resolvers adopt it and create a more secure internet expirience for each and everyone.
Until my next post and as Dr Wallace Breen says in Half-Life 2.. Be wise. Be safe. Be aware!
Subscribe via RSS