Install Bind as an authoritative DNS server

From wiki
Revision as of 10:01, 21 August 2016 by Vincent (talk | contribs) (Reload and test config)


Install

# apt install bind9

Configure

Hide version

Version might be useful to an attacker that is searching known vulnerabilities on your server. Let’s make its life more difficult by hiding it.

Note that it is not an excuse to run old vulnerable software. The goal is just to slow down attacker in case of newly published security exploit, so you have enough time to update before getting pwned.

To prevent the version being returned edit the file /etc/bind/named.conf.options and add the version line

options {
    
    version "";
    
}

Response Rate Limiting (RRL)

DNS servers can be abused to perform DoS attacks on other innocent victims. This are several issues for that

  • attacker will waste your bandwidth while attacking other servers
  • you are seen by the victim as the source of the attack. You can then appear in blacklists which will be an issue for you
  • you are making DoS attacks easier for the attackers and contribute to the problem

For more details, read the quick introduction to response rate limiting from ISC (Bind author).

Rate limiting allows to render such attacks ineffective while still answering legitimate responses. To enable this, add the block rate-limit in file /etc/bind/named.conf.options

options {

        rate-limit {
                responses-per-second 10;
                exempt-clients { 127.0.0.1; ::1; };
        };

}

Listen on public IP

By default, Bind will only reply to queries from localhost. To use it as an authoritative server, you must make it listen on a public IP. Once again the file to modify is /etc/bind/named.conf.options

options {

        listen-on { any; };
        listen-on-v6 { any; };
        allow-recursion { 127.0.0.1; ::1; };

}

The 3 options to modify are (these should already be there in the file):

  • listen-on: List of IPv4 addresses to listen on. any; means all. Otherwise you can list IPs: listen-on { 203.0.113.23; 127.0.0.1; }
  • listen-on-v6: Same as above for IPv6 addresses
  • allow-recursion: IPs to witch the server will reply to recursive queries (when it need to contact other severs to get the response). This must never contain any public IP.

Firewall

Bind will listen on port 53, on both TCP and UDP.Assuming that you configured nftables as described, you can edit file /etc/nftables/main_config.conf and add

# Bind
add element  inet main  tcp_port_in { 53 }
add element  inet main  udp_port_in { 53 }

and activate it using

$ sudo /etc/nftables/reload_main.conf

Reload Configuration

Bind9 can be told to reload its configuration using

# rndc reload

Warning: This command is working asynchronously. It is recommended to verify that everything was fine using

#  systemctl status bind9.service 
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since Mon 2016-08-08 19:30:41 UTC; 1 weeks 5 days ago
     Docs: man:named(8)
  Process: 6086 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 6091 (named)
   CGroup: /system.slice/bind9.service
           └─6091 /usr/sbin/named -f -u bind

Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (signed): reconfiguring zone keys
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (signed): next key event: 21-Aug-2016 10:10:12.300
Aug 21 09:10:12 server.example.org named[6091]: reloading zones succeeded
Aug 21 09:10:12 server.example.org named[6091]: all zones loaded
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (unsigned): loaded serial 2016082100
Aug 21 09:10:12 server.example.org named[6091]: running
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (signed): serial 2016082100 (unsigned 2016082100)
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (signed): sending notifies (serial 2016082100)
Aug 21 09:10:12 server.example.org named[6091]: client 203.0.113.199#38278 (example.org): transfer of 'example.org/IN': IXFR started
Aug 21 09:10:12 server.example.org named[6091]: client 203.0.113.199#38278 (example.org): transfer of 'example.org/IN': IXFR ended

This will show you the last lines of the log. If anything went wrong, it should appear in red.

Test for open recursion

Open recursive DNS servers are really BAD. You can test your server at http://openresolver.com.

Adding a domain

Warning Warning: This page is a work in progress and is not completed. Important informations might be missing or wrong.