DNS & Mail in the DMZ - PowerPoint PPT Presentation

Jims
dns mail in the dmz l.
Skip this Video
Loading SlideShow in 5 Seconds..
DNS & Mail in the DMZ PowerPoint Presentation
Download Presentation
DNS & Mail in the DMZ

play fullscreen
1 / 23
Download Presentation
DNS & Mail in the DMZ
393 Views
Download Presentation

DNS & Mail in the DMZ

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. DNS & Mail in the DMZ Jason Heiss Collective Technologies jheiss@ofb.netjheiss@colltech.com

  2. Firewall Architectures

  3. Screening Router Architecture

  4. Screened Subnet Architecture

  5. DNS(Domain Name Service)

  6. Goals • Separate internal and external DNS servers • Limit the information about your network that is publicly available • Protect the internal DNS server from attack • Run as separate user • Successful attack on DNS server does not give root • Run in chroot environment • Successful attack doesn’t expose entire server

  7. Internal BIND Configuration • named.conf options { forward only; forwarders { 1.2.3.4; 1.2.3.5;}; } zone “foo.net” { type master; file “foo.net”; } • No root hints file • Zone files contain full info

  8. DMZ BIND Configuration • named.conf acl slaves { 10.1.2.3; 192.168.1.1; }; options { version “”; directory “/”; # Really /var/named named-xfer “/bin/named.xfer”; allow-transfer { slaves; }; } zone “.” { type hint; file “root.hints”; }; zone “foo.net” {type master; file “foo.net”; }; • Zone files contain only external hosts

  9. Running BIND as Non-root User • Very simple starting with BIND 8 • “named –u bind –g bind” • The only things the bind user should be able to write to are files for slave zones • By default, these are dumped into the main directory (from named.conf) with somewhat random names • This directory, therefore, would need to be writeable by bind • Best to specify specific filenames for each slave zone in named.conf and make only those files writeable by bind

  10. Running BIND in chroot • Looks simple • “named –t /var/named” • syslog • Can’t get at /var/run/log (or /dev/log or whatever) • “syslog –l /var/named/var/run/log” • holelogd from Obtuse System’s utils package • ndc • named makes a UNIX socket for ndc to talk to • mkdir /var/named/var/run • ln –s /var/named/var/run/ndc /var/run/ndc

  11. Running BIND in chroot, cont. • Slaves • Zone transfers to slaves use named-xfer • Must reside in chroot directory • Probably will require some dynamic libraries (or compile a static version of named-xfer) • /usr/libexec/ld-elf.so.1 • /usr/lib/libutil.so.3 • /usr/lib/libc.so.4

  12. ndc • ndc, for the most part, works fine (reload, stop, etc.) with all of this special configuration • Need symlink from the real /var/run/ndc to the chroot /var/run/ndc if chroot’d • ‘ndc start’ fires up named with no arguments • ‘ndc start –u bind –g bind –t /var/named’

  13. Complications • Subdomains • client.foo.net queries intradns.foo.net for host.sub.foo.net • Intradns ignores delegation and forwards query to bastion host • Bastion host is authoritative for (limited) foo.net, doesn’t know about sub.foo.net, and thus returns NXDOMAIN

  14. Complications, cont. • Subdomains, cont. • If you are big enough to need subdomains, you can probably afford a couple extra PCs to separate external DNS from forwarders • See DNS & Bind (DNS and Internet Firewalls section) for extensive discussion of problems and solutions

  15. Complications, cont. • Double-reverse DNS lookups • Performed by many FTP sites • Server looks up hostname associated with connecting IP • Server then looks up IP associated with that hostname • This IP must match original • Requires unique A and PTR records for all public IPs • Good case for proxies or NAT/PAT (masquerading)

  16. Mail

  17. Goals • Separate internal and external mail servers • Protects internal mail server(s) from attack • Provides choke point to apply filters • Masquerading • Virus scanning • Run as separate user • Run in chroot environment • Sendmail does not have a built-in chroot feature • Would be a good idea if your MTA supports it

  18. Internal Sendmail Configuration FEATURE(`local_procmail')dnl FEATURE(`mailertable')dnl MAILER(`local')dnl MAILER(`smtp')dnl define(`SMART_HOST', `bastion.foo.net')dnl

  19. Internal Sendmail Config, cont. • /etc/mail/mailertable foo.net local: .foo.net local: • /etc/mail/relay-domains foo.net

  20. DMZ Sendmail Configuration MASQUERADE_AS(`foo.net')dnl FEATURE(`mailertable')dnl FEATURE(`access_db’)dnl MAILER(`smtp')dnl define(`confRUN_AS_USER', `mail:mail')dnl define(`confSMTP_LOGIN_MSG', `')dnl define(`confPRIVACY_FLAGS', `goaway')dnl

  21. DMZ Sendmail Config, cont. • /etc/mail/mailertable foo.net smtp:mailhub.foo.net .foo.net smtp:mailhub.foo.net • /etc/mail/access Connect:mailhub.foo.net RELAY To:foo.net RELAY

  22. Running Sendmail as Non-root User • Queue should be owned by mail user so that Sendmail can queue mail temporarily • Otherwise user should have no privileges

  23. References • BIND • Grasshopper (Cricket) book (O’Reilly) • Building Internet Firewalls (O’Reilly) • Linux HOWTO • Sendmail • www.sendmail.org (Configuration Information) • www.sendmail.net (Good release notes) • ofb.net/~jheiss/sendmail_proxy.html • Bat book (O’Reilly)