securing dns 20120516 by id-sirtii team in medan
DESCRIPTION
TRANSCRIPT
![Page 1: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/1.jpg)
Securing Bind DNS
Id-SIRTII/CC – 2012Document Revision 20120515
![Page 2: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/2.jpg)
INTERNET
![Page 3: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/3.jpg)
DNS
![Page 4: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/4.jpg)
DNS“Semacam buku telepon yang terdapat di Internet”
Spesifikasi Fungsi ;
- Domain server
- Mapping ip address ke hostname
- Mapping kotak surat (@contoh.net)
- Filtering (DNSBL/spam filter, Domain Filter)
- Infrastruktur Distribusi
![Page 5: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/5.jpg)
KOMUNIKASI DNS
![Page 6: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/6.jpg)
HIRARKI DNS
net domain
com domain
apnic.net domain
net com
apnic
www www
edu
isi tislabs•training
ns1ns2•
• •
•
•
ftp
sun
moon
•
•
![Page 7: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/7.jpg)
KOMPONEN DNS
1. DNS AUTHORITATIVE ;
- Memberikan jawaban Dari Recussor
- Administrasi nama domain
- Database Record Resource (RR)
2. DNS RECURSIVE ;
- Pencari jawaban dari client
- Memberi jawaban yang tepat ke client
![Page 8: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/8.jpg)
RECORD RESOURCE DNS
Record Resource Database pada DNS Authoritative
A HOSTNAME
PTR Reverse Address Mapping
CNAME Aliases
MX Mail Exchange Domain
NS Authoritative DNS
![Page 9: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/9.jpg)
MODEL DNS AUTHORITATIVE
NS1 Primary
NS2secondary
NS3secondary
NS4secondary
![Page 10: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/10.jpg)
MODEL DNS AUTHORITATIVE
Primary DNS ; 1. Menyimpan database RR domain2. Update database RR domain
Secondary DNS ; 1. Backup dari DNS Primary2. Menyimpan database RR domain
![Page 11: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/11.jpg)
SERANGAN DNS
1. DNS Reflector / Amplification
![Page 12: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/12.jpg)
SERANGAN DNS
- Penyerang mengirimkan permintaan DNS Query ke DNS Resolver
B. DNS Resolver akan meminta jawaban query ke DNS Authoritative
C. Masalah besar jika permintaan dari Bot Network
D. Efek ; DNS Resource, Traffic Resource, Internet Down
![Page 13: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/13.jpg)
SERANGAN DNS2. DNS Cache Poisoning
![Page 14: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/14.jpg)
SERANGAN DNS1. Penyerang meracuni query cache DNS Server
2. User akan menggunakan fasilitas e-banking
3. User meminta DNS query untuk mencari domain e-banking
4. DNS Menjawab permintaan, tapi memberikan jawaban salah
5. User akan membuka fasilitas e-banking yang salah.
![Page 15: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/15.jpg)
SERANGAN DNS
3. Distributed Denial Of Service
- Permintaan request / layanan yang secara bersamaan sehingga Resource sebuah Server mengalami gangguan.
- Salah satu teknik serangan dari DOS
- Melibatkan Bot Network
![Page 16: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/16.jpg)
SERANGAN DNS4. Bind Spoofing
Secara umum, bind paling banyak digunakan oleh banyak system administrator
Query yang dihasilkan mudah untuk ditebakhttp://www.trusteer.com/list-context/publications/bind-9-dns-cache-poisoning
Source UDP Port mudah ditebak
Hasil dari spoofing ada DNS Cache Poisoning
![Page 17: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/17.jpg)
Preventive Bind DNS
1. Menggunakan Bind versi terbaru
Versi terbaru dari bind dapat dilihat di ;http://www.isc.org/software/bind
Versi terbaru Bind Software ;Bind 9.9.0Bind 9.8.2Bind 9.7.5
![Page 18: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/18.jpg)
Preventive Bind DNS2. Preventive Bind Server Infrastruktur
Hindari untuk menggunakan 1 subnet
Hindari untuk menggunakan 1 router
Hindari untuk menggunakan 1 leases line/backbone
Menggunakan slave server yang berada jauh secara jaringan
Menggunakan metode DNS Proxying
![Page 19: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/19.jpg)
Preventive Bind DNSContoh Implementasi DNS Proxying
DNS
NS1
NS2
NS3
![Page 20: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/20.jpg)
Preventive Bind DNS
NS 1 – NS 3 adalah nameserver yang terdaftar di Registar
DNS adalah nameserver yang hanya sebagai primary dns
DNS tidak listing di registar
![Page 21: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/21.jpg)
Preventive Bind DNS
3. Filter Traffic Bind DNS Server
Gunakan host anda hanya untuk server bind.
Filter semua traffic, kecuali UDP dan TCP port 53- Router- Firewall Host
Contoh filter iptables (Linux Firewall);# iptables -A INPUT -p tcp -m tcp –-dport 53 -j ACCEPT# iptables -A INPUT -p udp -m udp –-dport 53 -j ACCEPT# iptables -P INPUT DROP
![Page 22: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/22.jpg)
Preventive Bind DNS
4. Membatasi database zona transfer named.conf
Tujuan untuk mengindari crackers untuk melihat content Database Zona ( Resource Records), Host demographic
Contoh :
options {allow-transfer { 206.168.119.178; };};
![Page 23: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/23.jpg)
Preventive Bind DNS
5. Authentifikasi Transfer Zone named.conf
Komunikasi antar server pada saat transfer database zona domain dengan menggunakan transfer signature (Tsig)
Contoh di primary server :
key dilarang-mengintip {algorithm hmac-md5;secret “mZiMNOUYQPMNwsDzrX2ENw==”;};zone “contoh.com” {type master;file “db.contoh.com”;allow-transfer { key dilarang-mengintip; };};
![Page 24: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/24.jpg)
Preventive Bind DNS
Contoh di slave server named.conf
key dilarang-mengintip {algorithm hmac-md5;secret “mZiMNOUYQPMNwsDzrX2ENw==”;};server 208.8.5.250 {transfer-format many-answers;keys { dilarang-mengintip.; };};zone “contoh.com” {type slave;file “bak.contoh.com”;allow-transfer { none; };};
![Page 25: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/25.jpg)
Preventive Bind DNS
6. Mengamankan server dari serangan cache poisoning
Dengan menerima request query dari internet, bind server akan mudah dicari kelemahannya
Mematikan opsi recursive dari internet;
Contoh options {recursion no;};
![Page 26: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/26.jpg)
Membatasi layanan queryContoh :
acl internal { 206.168.119.176/29; };
options {directory “/var/named”;allow-query { internal; };};
zone “contoh.com” {type master;file “db.contoh.com”;allow-query { any; };};
Preventive Bind DNS
![Page 27: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/27.jpg)
Preventive Bind DNS
7. Menjalankan aplikasi bind di lingkungan chroot dan Dijalankan oleh user selain root (named)
Chroot adalah metode direktori virtual
Jika terjadi incident, maka attacker tidak sampai memasuki sistem utama
Contoh struktur chroot :/var/named/chroot/etc/var/named/chroot/var/named/data.......
![Page 28: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/28.jpg)
Preventive Bind DNS
8. DNS Security Extension (DNSSEC)
Memastikan proses query yang valid
Semacam SSL authentication DNS
Tindakan preventive dari serangan cyber
![Page 29: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/29.jpg)
Preventive Bind DNS
8.1 Deploy DNSSec
Enable DNSSec pada authoritative servers ;
options { dnssecenable yes;};
“ Package ssl harus ada pada server ”
options { dnssecenable yes; dnssecvalidation yes; };
Enable DNSSec pada resursive servers ;
![Page 30: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/30.jpg)
Preventive Bind DNS
DNSSec membutuhkan 2 key yaitu ZSK dan KSK;
ZSK = berfungsi sebagai signature data pada zone
KSK = berfungsi sebagai signature dari zona sign key (ZSK)
Membuat KSK ;#dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 2048 -n ZONE contoh.com
Dari perintah diatas, masing – masing menghasilkan 2 file yaitu .key dan .private
#dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n ZONE contoh.com
Membuat ZSK ;
![Page 31: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/31.jpg)
Preventive Bind DNSMemasukan hasil dari zsk dan ksk kedalam database zonadomain;
$INCLUDE *.key
#dnssec-signzone -l dlv.isc.org -r /dev/random -o contoh.com \-k Kcontoh.com.+005+aaaaa contoh.com.db Kcontoh.com.+005+bbbbb.key
Signing database zona domain;
Hasil dari signing diatas adalah contoh.signed
aaaaa adalah KSK key dan bbbbb adalah ZSK key
![Page 32: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/32.jpg)
Preventive Bind DNS
Mengaktifkan statement trusted-keys ; Contoh pada named.conf;
trusted-keys { dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+ju oZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58 dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0 PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTw FlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOw IeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZ fSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";};
![Page 33: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/33.jpg)
Preventive Bind DNSEnable logging bind DNS ; Contoh ;
logging { channel dnssec_log { file "log/dnssec" size 20m; print-time yes; print-category yes; print-severity yes; severity debug 3; }; category dnssec { dnssec_log; };};
![Page 34: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/34.jpg)
Preventive Bind DNS
Update nama zona database pada named.confContoh ;
rubah zone “zonename” { file “dir/zonefile”;};
denganzone “zonename” { file “dir/zonefile.signed”;};
![Page 35: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/35.jpg)
Preventive Bind DNS
9. Referensi
- https://dlv.isc.org- DNS ATTACKS “ HIMANSHU PRABHAKAR”- Security challenges in DNS “Philippe Camacho“- Introduction to DNSSEC “ Tom Daly”- http://www.cymru.com
![Page 36: Securing DNS 20120516 by ID-SIRTII team in Medan](https://reader036.vdocument.in/reader036/viewer/2022062701/55381c864a79597a748b46ae/html5/thumbnails/36.jpg)
Terimakasih