Setting up BIND to be as insecure as possible in Centos/RHEL7

DNS, in general, should be locked down as much as possible. It’s too easy for hackers to send DNS attacks like DDoS unless you set up some security measures.

However, if you’re just trying to set up a simple BIND DNS server in a lab that’s not on a public network and is behind a ton of firewalls, just to test some basic functionality like I’ve been doing, you may want things to just *work* without having to set up all the extra security bells and whistles.

I’m writing this up to help people avoid the hours of head banging, Googling and debugging that always ends up in an Occam’s razor-like scenario: disable your firewall.

C2y3rk

Before we start, I want to re-iterate something:

DO NOT CONFIGURE YOUR PRODUCTION DNS SERVERS LIKE THIS, INCLUDING DNS SERVERS YOU RUN AT YOUR HOUSE. IF YOU DO, YOU ARE ASKING FOR TROUBLE.

Now that that’s out of the way…

BIND configuration – named.conf Worst Practices

The general recommendations to secure DNS servers is to diable recursion, lock down the allowed queries, etc. Eff that. We’re going all out and allowing everything.

Here’s the named.conf file I used on my BIND server:

options {
 listen-on port 53 {any;};
 listen-on-v6 port 53 {any;};
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-transfer {any;};
 allow-query-cache {any;};
 allow-query {any;};
 recursion yes;

 dnssec-enable no;
 dnssec-validation no;

/* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";
};

Hackable as s**t. But it works, dammit.

For good measure, my zones:

};

zone "bind.parisi.com" IN {
 type master;
 file "bind.parisi.com.zone";
 allow-update {any; };
 allow-query {any;};
};

zone "xx.xx.xx.in-addr.arpa" IN {
 type master;
 file "xx.xx.xx.in-addr.arpa.zone";
 allow-update {any;};
 allow-query {any;};
};

Arrrgh. Firewalls!

pirate

If you’ve worked with Linux in the past 10 years, I’m sure you’ve run into the problem with Linux firewalls where you just end up turning them off. Historically, it’s been iptables and SELinux. When I was working on my environment, I was seeing the following in a packet trace when attempting remote nslookups:

ICMP 118 Destination unreachable (Host administratively prohibited)

Local worked fine. Pinging the IP worked fine. But dig?

# dig @xx.xx.xx.xx dns.bind.parisi.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @xx.xx.xx.xx dns.bind.parisi.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Ping?

# ping dns.bind.parisi.com
ping: unknown host dns.bind.parisi.com

Everything I read said it was either a config or firewall issue. I had already disabled the usual suspects, SELinux and iptables. But no dice.

Finally, I remembered that Centos/RHEL7 is pretty different from previous versions. So I Googled “centos7 security features” and found my answer: THEY ADDED A NEW &*@$ FIREWALL.

Introducing your newest Linux security nemesis…

Firewalld.

Now, I fully understand the need for new security enhancements. And you should totally leave this alone in production environments. But, like the Windows Firewall, it’s the bane of a lab machine’s existence. So, I disabled it.

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
 Active: active (running) since Thu 2016-06-23 14:57:47 EDT; 6h ago
 Main PID: 670 (firewalld)
 CGroup: /system.slice/firewalld.service
 └─670 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jun 23 14:57:21 dns.bind.parisi.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 23 14:57:47 dns.bind.parisi.com systemd[1]: Started firewalld - dynamic firewall daemon.

# systemctl stop firewalld

stewie.jpg

# dig @xx.xx.xx.xx dns.bind.parisi.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @xx.xx.xx.xx dns.bind.parisi.com
; (1 server found)
;; global options: +cmd
;; Got answer:

Now, on to fight with BIND some more. Stay tuned for news on TR updates featuring BIND configuration with on-box DNS in ONTAP!

Advertisements

3 thoughts on “Setting up BIND to be as insecure as possible in Centos/RHEL7

  1. if you use firewall-cmd –add-service=dns (–permanent, if you want it to stick after a reboot), it will just work (just tested it).

    Pro tip, install the bash-completion package, then firewall-cmd will be very easy to use (or systemctl, or journalctl, …)

    Like

  2. Pingback: Why Is the Internet Broken: Greatest Hits | Why Is The Internet Broken?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s