Advanced Module 3
Stealth Configurations
DNS Stealth Configurations

Stealth (aka DMZ, Split)
Definition:
Public and Private Resources (IP addresses
and services)
Separation of Public and Private
Protection of DNS Zone files
DNS - Stealth Configuration
DNS Stealth Configurations


Same Domain Name - Public and Private
zone files
Hidden Master
Slave Only Configuration
Secure Zone Transfers from Hidden Master
Private Clients want to query
Non-standard ports (ZT and Query)
Use of BIND9's view clause
NAT Gateway?
DNS - Hidden Master
DNS - Hidden Master


A Registered domain needs two or more
Name Servers
Resolver start (1) with Root/TLD and use
referrals (delgation)
Referrals (2) always go back to the
Resolver
Slaves (3) respond Authoritatively
Zone Transfers (4) - use IP/Crypto
controls with Non-standard ports
Master only visible to slaves
DNS - Stealth Configuration
DNS - Internal Resolver


Public Servers (1) are slaves - only use
Public zone files
Master (2) uses non-standard port Zone
Transfer with crypto (TSIG)
Private DNS (3) has only private zone
files
Users need Recursive queries for normal
web access
Public (Recursive) Queries (4) go thru
firewall/NAT
DNS - Stealth Configuration
options {
...
// Private DNS (3)
recursion yes;
allow-recursion {172.18/16;}; // cache access
};
// required zone for recursive queries
// transactions will pass through a classic firewall
zone "." {
type hint;
file "root.servers";
};
// zone clause - master for example.com
zone "example.com" in{
type master;
file “private/example.com”;
...
};
// required local host domain
// localhost reverse map
// reverse map for local address at example.com
// uses 192.168.254.0 for illustration
DNS - Stealth Configuration
options {
...
// Public DNS (1)
recursion no;
};
// zone clause - master for example.com
zone "example.com" in{
type master;
file “public/example.com”;
...
};
// localhost/reverse localhost
// maybe
DNS - Stealth Configuration
DNS - External Resolver

Public Servers (1) are slaves - only use
Public zone files but also provides Recursive
service to Private Clients

Master (2) uses non-standard port Zone
Transfer with crypto (TSIG)
Private DNS (3) has only private zone files
Users need Recursive queries for normal web
access
Public (Recursive) Queries (4) use a
Forwarding DNS (with non-std port) to DNS
(1)
DNS - Stealth Configuration
options {
...
// Private DNS (3)
recursion no;
};
// required zone for recursive queries
// uses stealth port 2053
zone "." {
type forward;
forward only;
forwarders {192.168.2.3 port 2053; 192.268.2.4 port 2053};
};
// zone clause - master for example.com
zone "example.com" in{
type master;
file “private/example.com”;
...
};
// required local host domain
// localhost reverse map
// reverse map for local address at example.com
// uses 192.168.254.0 for illustration
DNS - Stealth Configuration
options {
...
// Public DNS (1)
recursion yes;
allow-recursion(10.0.0.3;}; // private forward DNS
listen-on port 53 {192.168.2.3;};
listen-on port 2053 {192.168.2.3;};
};
// zone clause - master for example.com
zone "example.com" in{
type master;
file “public/example.com”;
...
};
// normal hints zone
zone "." {
type hint;
file "root.servers";
};
// localhost/reverse localhost
// maybe
DNS - Using View Clause

A single DNS can be configured to support
both Private and Public capabilities

Maintains two logically separate views

Clients can connect to private or public
services

Does not need Firewall (?)

Vulnerable if filesystem compromise

Uses:

match-clients {ip list;);

Match-destinations {ip list;);

match-recursion-only {ip list;);
DNS - Bind9 View
DNS - Using View Clause

DNS Server (1) has public and Private views

Hidden Master (2)

Clients access Private side only for
Authoritative (3) and Recursive (4) queries

Private side issues Public (5) (Recursive
queries)

Server's Public view only answers public
queries
DNS - using View Clause
options { // Public/Private DNS (1)
...
recursion no;
};
view “private” {
match-clients {localnets;localhost;};
recursion yes;
allow-recursion {localnets;localhost;};
// zone is private
zone “example.com” {
type master;
file “private/example.com”;
...
};
// zone files for hints, localhost, local reverse map
};
view “public” {
match-clients {any;};
recursion no;
zone "example.com" in{
type slave;
file “public/example.com”;
...
};
// zone files for localhost
};
DNS - Using View Clause

views order is significant - match-client
{any;}; in the public view is an else
condition

Private cache is polluted with public data

Single server

Can be routed through firewall or not

Breaking of filesystem will allow reading of
private data
DNS - Admin security

Bind runs as root until it has assembled all
its files - permissions can be very tight
especially on included files

Files:
named.conf - contains sensitive information
especially where private views are involved
key files - always include (0600 root:wheel)
zone files - only private ones
log files - in shared public/private

rndc - think very carefully
Quick Quiz

Should a public DNS server support
recursion?

Must the master NS be defined when you
register a domain?

Name at least two statements that can be
used to select view users?

Does an Authoritative Server need a hints
zone clause?

Should key clauses ever defined in
named.conf?