DNS & BIND – Operation and Security

The DNS protocol, as we use it today on the Internet or in internal networks, can create various security problems: DNS data can be forged in transit, false DNS data can be injected into DNS caching servers. Since virtually all Internet protocols use DNS, this loophole in DNS can be used to exploit or bypass known security systems (such as TLS certificates or same-origin policy in JavaScript).

This course gives give operational information on how to securely operate a BIND 9 DNS server (Resolver or autoritative)

Trainer und Dozenten

The trainer Carsten Strotmann has been working with Linux/Unix and DNS in TCP/IP networks for over 20 years. Since 2003 he is a trainer for the DNS specialists of Men & Mice and gives trainings worldwide on DNS, DNSSEC, DHCP and IPv6. He works closely with DNS software vendors (ISC BIND, NLNetLabs NSD/unbound and Microsoft DNS) and is active in the RIPE and IETF DNS working groups.

The trainer Jan-Piet Mens has been working as a consultant/trainer in the Unix then Linux area since 1988. He is also in charge of the training program at the DNS specialists of Men & Mice and gives trainings worldwide. At Linuxhotel he is responsible for the Ansible config management trainings.

Voraussetzungen

Prerequisites are basics of the Unix/Linux command line (shell) and the use of a Unix/Linux editor on the text console (vi, nano, emacs, ...) as well as good knowledge of DNS name resolution (operation of "resolving" DNS servers and the delegation of the DNS namespace (this DNS knowledge is taught in the course "DNS & BIND").

Inhalt

  • New terminology used in DNS & BIND
  • Building the authoritative DNS server
  • A quick look at DNSSEC
  • DNSSEC signing and validation
  • Minimal ANY
  • Empty zones
  • Building a DNSSEC validating DNS Resolver
  • EDNS
  • 'Dig'ing deeper
  • DNS resolver best practices
  • Getting information (statistics, query logging, dnstap, CHAOS)
  • DNS cookies
  • Cryptography in DNS
  • DNSSEC 'inline'-signing
  • Transaction Signatures (TSIG)
  • Dynamic updates (Plus NOTIFY & IXFR)
  • Response rate limiting in BIND
  • Adding and removing zones with RNDC
  • Firewalls and DNS
  • Response Policy Zones (RPZ)
  • Automatic DNS provisioning with Catalog-Zones
  • BIND 9 views