Transaction Signatures (TSIG) provide a secure method for communicating
from a primary to a secondary Domain Name server (DNS). It is a simple
and effective method for organizations to enhance their security. TSIG
is not a requirement and many organizations choose to specify IP
address-based permissions between DNS name servers. However, as the DNS
is increasingly targeted by bad actors on the Internet, TSIG is a
recommended design consideration.
# Create TSIG in DNS master server via dnssec-keygen command.
[root@master ~]# dnssec-keygen -a hmac-md5 -b 128 -n USER master
Kmaster.+157+64468
[root@master ~]#
[root@master ~]# ls -l
total 12
-rw-------. 1 root root 1267 Dec 24 22:54 anaconda-ks.cfg
-rw-------. 1 root root 48 Feb 18 11:10 Kmaster.+157+64468.key
-rw-------. 1 root root 165 Feb 18 11:10 Kmaster.+157+64468.private
[root@master ~]#
# Check TSIG Key file
[root@master ~]# cat Kmaster.+157+64468.key
master. IN KEY 0 3 157 rq1lO2vG1/9xT1R+k79G+w==
[root@master ~]#
# add TSIG key in /etc/named.conf file in master server.
[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.10.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
allow-transfer { localhost; 192.168.10.20; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
key master. {
algorithm hmac-md5;
secret "rq1lO2vG1/9xT1R+k79G+w==";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "zmailtech.com" IN {
type master;
file "zmailtech.com.zone";
// allow-update { any; };
allow-update { key master.; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "10.168.192.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@master ~]#
# restart named service in master server.
[root@master ~]# systemctl restart named
# Add TSIG Key in Slave server /etc/named.conf file.
[root@slave ~]# vim /etc/named.conf
[root@slave ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.10.20; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
key master. {
algorithm hmac-md5;
secret "rq1lO2vG1/9xT1R+k79G+w==";
};
server 192.168.10.2 {
keys { master.; };
};zone "." IN {
type hint;
file "named.ca";
};
zone "zmailtech.com" IN {
type slave;
masters { 192.168.10.2; };
file "slaves/zmailtech.com";
};
zone "10.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.10.2; };
file "slaves/10.168.192.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@slave ~]#
# restart named service in slave server.
[root@slave ~]# systemctl restart named
# check Record of server15.zmailtech.com (not excited) on master server as well as slave server.
[root@master ~]# dig server15.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51210
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com. IN A
;; AUTHORITY SECTION:
zmailtech.com. 10800 IN SOA ns1.zmailtech.com. admin.zmailtech.com. 2018021002 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 11:28:57 IST 2018
;; MSG SIZE rcvd: 97
[root@master ~]#
# add server15.zmailtech.com A record via nsupdate command in master server.
[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> key master. rq1lO2vG1/9xT1R+k79G+w==
> update add server15.zmailtech.com. 3600 IN A 192.168.10.15
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;zmailtech.com. IN SOA
;; UPDATE SECTION:
server15.zmailtech.com. 3600 IN A 192.168.10.15
> send
> quit
[root@master ~]#
# Check server15.zmailtech.com A record in master server.
[root@master ~]# dig server15.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34698
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com. IN A
;; ANSWER SECTION:
server15.zmailtech.com. 3600 IN A 192.168.10.15
;; AUTHORITY SECTION:
zmailtech.com. 86400 IN NS ns1.zmailtech.com.
;; ADDITIONAL SECTION:
ns1.zmailtech.com. 86400 IN A 192.168.10.2
;; Query time: 1 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 15:06:45 IST 2018
;; MSG SIZE rcvd: 101
[root@master ~]#
# Check server15.zmailtech.com A record in slave server.
[root@slave ~]# dig server15.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56647
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com. IN A
;; ANSWER SECTION:
server15.zmailtech.com. 3600 IN A 192.168.10.15
;; AUTHORITY SECTION:
zmailtech.com. 86400 IN NS ns1.zmailtech.com.
;; ADDITIONAL SECTION:
ns1.zmailtech.com. 86400 IN A 192.168.10.2
;; Query time: 0 msec
;; SERVER: 192.168.10.20#53(192.168.10.20)
;; WHEN: Sun Feb 18 15:06:11 IST 2018
;; MSG SIZE rcvd: 101
[root@slave ~]#
# Create TSIG in DNS master server via dnssec-keygen command.
[root@master ~]# dnssec-keygen -a hmac-md5 -b 128 -n USER master
Kmaster.+157+64468
[root@master ~]#
[root@master ~]# ls -l
total 12
-rw-------. 1 root root 1267 Dec 24 22:54 anaconda-ks.cfg
-rw-------. 1 root root 48 Feb 18 11:10 Kmaster.+157+64468.key
-rw-------. 1 root root 165 Feb 18 11:10 Kmaster.+157+64468.private
[root@master ~]#
# Check TSIG Key file
[root@master ~]# cat Kmaster.+157+64468.key
master. IN KEY 0 3 157 rq1lO2vG1/9xT1R+k79G+w==
[root@master ~]#
# add TSIG key in /etc/named.conf file in master server.
[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.10.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
allow-transfer { localhost; 192.168.10.20; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
key master. {
algorithm hmac-md5;
secret "rq1lO2vG1/9xT1R+k79G+w==";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "zmailtech.com" IN {
type master;
file "zmailtech.com.zone";
// allow-update { any; };
allow-update { key master.; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "10.168.192.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@master ~]#
# restart named service in master server.
[root@master ~]# systemctl restart named
# Add TSIG Key in Slave server /etc/named.conf file.
[root@slave ~]# vim /etc/named.conf
[root@slave ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.10.20; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
key master. {
algorithm hmac-md5;
secret "rq1lO2vG1/9xT1R+k79G+w==";
};
server 192.168.10.2 {
keys { master.; };
};zone "." IN {
type hint;
file "named.ca";
};
zone "zmailtech.com" IN {
type slave;
masters { 192.168.10.2; };
file "slaves/zmailtech.com";
};
zone "10.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.10.2; };
file "slaves/10.168.192.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@slave ~]#
# restart named service in slave server.
[root@slave ~]# systemctl restart named
# check Record of server15.zmailtech.com (not excited) on master server as well as slave server.
[root@master ~]# dig server15.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51210
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com. IN A
;; AUTHORITY SECTION:
zmailtech.com. 10800 IN SOA ns1.zmailtech.com. admin.zmailtech.com. 2018021002 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 11:28:57 IST 2018
;; MSG SIZE rcvd: 97
[root@master ~]#
# add server15.zmailtech.com A record via nsupdate command in master server.
[root@master ~]# nsupdate -v
> server 192.168.10.2
> zone zmailtech.com
> key master. rq1lO2vG1/9xT1R+k79G+w==
> update add server15.zmailtech.com. 3600 IN A 192.168.10.15
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;zmailtech.com. IN SOA
;; UPDATE SECTION:
server15.zmailtech.com. 3600 IN A 192.168.10.15
> send
> quit
[root@master ~]#
# Check server15.zmailtech.com A record in master server.
[root@master ~]# dig server15.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34698
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com. IN A
;; ANSWER SECTION:
server15.zmailtech.com. 3600 IN A 192.168.10.15
;; AUTHORITY SECTION:
zmailtech.com. 86400 IN NS ns1.zmailtech.com.
;; ADDITIONAL SECTION:
ns1.zmailtech.com. 86400 IN A 192.168.10.2
;; Query time: 1 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Sun Feb 18 15:06:45 IST 2018
;; MSG SIZE rcvd: 101
[root@master ~]#
# Check server15.zmailtech.com A record in slave server.
[root@slave ~]# dig server15.zmailtech.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> server15.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56647
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server15.zmailtech.com. IN A
;; ANSWER SECTION:
server15.zmailtech.com. 3600 IN A 192.168.10.15
;; AUTHORITY SECTION:
zmailtech.com. 86400 IN NS ns1.zmailtech.com.
;; ADDITIONAL SECTION:
ns1.zmailtech.com. 86400 IN A 192.168.10.2
;; Query time: 0 msec
;; SERVER: 192.168.10.20#53(192.168.10.20)
;; WHEN: Sun Feb 18 15:06:11 IST 2018
;; MSG SIZE rcvd: 101
[root@slave ~]#
No comments:
Post a Comment