{"id":2097,"date":"2019-02-25T18:15:53","date_gmt":"2019-02-26T00:15:53","guid":{"rendered":"https:\/\/www.lastdragon.net\/?p=2097"},"modified":"2019-02-25T18:22:49","modified_gmt":"2019-02-26T00:22:49","slug":"dnssec-que-es-y-configurandolo-en-bind9-en-centos-y-redhat-7-x","status":"publish","type":"post","link":"https:\/\/www.lastdragon.net\/?p=2097","title":{"rendered":"DNSSEC \u00bf Que es ? Y como se configura en Bind9 en CentOS y RedHat 7.x"},"content":{"rendered":"

Segun el articulo de ADSL ZONE –\u00a0Internet y sus usuarios necesitan DNSSEC, los ataques DNS no cesan<\/a><\/p>\n

Es requerido que la mayor\u00eda de sitios empiece a usar DNSSEC como complemento al https, pero\u2026<\/p>\n

\u00bf Que es DNSSEC y como funciona ?<\/strong><\/p>\n

DNSSEC es (Domain Name System Security Extensions<\/em>) es para el DNS algo similar a un parche que evita el DNS Spoofing<\/p>\n

se a\u00f1aden firmas digitales en las partes implicadas: dominio, en el registrar y en el servidor DNS. El navegador comprueba los servidores DNS, Si las firmas digitales p\u00fablicas que recibe coinciden con las publicadas en el registrar, el navegador dar\u00e1 por v\u00e1lida la solicitud evitando la redirecci\u00f3n a sitios maliciosos si las llaves no coinciden.<\/p>\n

Pasos para configurar un dominio en BIND9 usando CentOS o RedHat 7.x<\/strong><\/p>\n

En la carpeta donde esta el archivo .host del dominio o zona a segurar, para este ejemplo se usara el dominio lastdragon.net<\/p>\n

1 Generar llaves<\/strong><\/p>\n

dnssec-keygen -a RSASHA256 -b 4096 -n ZONE lastdragon.net
\ndnssec-keygen -f KSK -a RSASHA256 -b 4096 -n ZONE lastdragon.net<\/p><\/blockquote>\n

El resultado sera 4 archivos adicoiales ( Similares a estos )<\/p>\n

-rw-r–r– 1 root root 956 feb 25 18:48 Klastdragon.net.+007+02169.key
\n-rw——- 1 root root 3319 feb 25 18:48 Klastdragon.net.+007+02169.private
\n-rw-r–r– 1 root root 958 feb 25 18:48 Klastdragon.net.+007+24215.key
\n-rw——- 1 root root 3319 feb 25 18:48 Klastdragon.net.+007+24215.private<\/p>\n

2 el contenido de los archivos key va al final del archivo lastdragon.net.hosts<\/strong><\/p>\n

Se puede inyectar el contenido con un cat, asi:<\/p>\n

cat Klastdragon.net.+007+*.key >> lastdragon.net.hosts<\/p><\/blockquote>\n

3 Firmar la zona<\/strong><\/p>\n

dnssec-signzone -A -3 $(head -c 1000 \/dev\/random | sha256sum | cut -b 1-16) -N INCREMENT -o lastdragon.net -t lastdragon.net.hosts<\/p><\/blockquote>\n

El resultado sera similar a:<\/p>\n

Verifying the zone using the following algorithms: NSEC3RSASHA1.
\nZone fully signed:
\nAlgorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
\nZSKs: 1 active, 0 stand-by, 0 revoked
\nlastdragon.net.hosts.signed
\nSignatures generated: 27
\nSignatures retained: 0
\nSignatures dropped: 0
\nSignatures successfully verified: 0
\nSignatures unsuccessfully verified: 0
\nSigning time in seconds: 0.168
\nSignatures per second: 159.821
\nRuntime in seconds: 0.179<\/p>\n

4 named.conf<\/strong><\/p>\n

En las opciones del named.conf deben ir las siguientes 3 lineas:<\/p>\n

dnssec-enable yes;
\ndnssec-validation yes;
\ndnssec-lookaside auto;<\/p><\/blockquote>\n

ejemplo:<\/p>\n

acl recursive-clients { 127.0.0.1; };<\/p>\n

options {
\ndirectory “\/var\/named”;
\ndump-file “\/var\/named\/data\/cache_dump.db”;
\nstatistics-file “\/var\/named\/data\/named_stats.txt”;
\nmemstatistics-file “\/var\/named\/data\/named_mem_stats.txt”;<\/p>\n

allow-recursion { recursive-clients; };
\nallow-query { any; };<\/p>\n

\/*
\n– If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
\n– If you are building a RECURSIVE (caching) DNS server, you need to enable
\nrecursion.
\n– If your recursive DNS server has a public IP address, you MUST enable access
\ncontrol to limit queries to your legitimate users. Failing to do so will
\ncause your server to become part of large scale DNS amplification
\nattacks. Implementing BCP38 within your network would greatly
\nreduce such attack surface
\n*\/
\nrecursion yes;<\/p>\n

dnssec-enable yes;
\ndnssec-validation yes;
\ndnssec-lookaside auto;<\/p>\n

\/* Path to ISC DLV key *\/
\nbindkeys-file “\/etc\/named.iscdlv.key”;<\/p>\n

managed-keys-directory “\/var\/named\/dynamic”;<\/p>\n

pid-file “\/run\/named\/named.pid”;
\nsession-keyfile “\/run\/named\/session.key”;
\n};<\/p>\n

En la zone debe usarse el archivo hosts firmado ejemplo:<\/p>\n

zone “lastdragon.net” {
\ntype master;
\nfile “\/var\/named\/lastdragon.net.hosts.signed”;
\n};<\/p><\/blockquote>\n

5 Ir al registrar para agregar registros DS, el hash puede ser encontrado el archivo<\/strong><\/p>\n

dsset-lastdragon.net.<\/em><\/p>\n

La linea uno contendr\u00e1 algo como:<\/p>\n

lastdragon.net. IN DS 49405 8 1 696C71F1C410029346F309F45464F308A4F921AE<\/p><\/blockquote>\n

de esa linea:<\/p>\n

key-tag es 49405 el algoritmo que se uso fue sha256 tipo de digest sha1<\/em><\/p>\n

en el whois debe salir algo como:<\/p>\n

DNSSEC: signedDelegation
\nDNSSEC DS Data: 49405 8 1 696C71F1C410029346F309F45464F308A4F921AE<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

Segun el articulo de ADSL ZONE –\u00a0Internet y sus usuarios necesitan DNSSEC, los ataques DNS no cesan Es requerido que la mayor\u00eda de sitios empiece a usar DNSSEC como complemento al https, pero\u2026 \u00bf Que es DNSSEC y como funciona ? DNSSEC es (Domain Name System Security Extensions) es para el DNS algo similar a…<\/p>\n","protected":false},"author":1,"featured_media":2101,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-2097","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-consultoria-y-manuales"],"_links":{"self":[{"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=\/wp\/v2\/posts\/2097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2097"}],"version-history":[{"count":6,"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=\/wp\/v2\/posts\/2097\/revisions"}],"predecessor-version":[{"id":2105,"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=\/wp\/v2\/posts\/2097\/revisions\/2105"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=\/wp\/v2\/media\/2101"}],"wp:attachment":[{"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lastdragon.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}