DNS

1
DNS Mail in the DMZ

• Jason Heiss
• Collective Technologies
• jheiss_at_ofb.net jheiss_at_colltech.com

2
Firewall Architectures
3
Screening Router Architecture
4
Screened Subnet Architecture
5
DNS(Domain Name Service)
6
Goals

• Separate internal and external DNS servers
• Limit the information about your network that is
  publicly available
• Protect the internal DNS server from attack
• Run as separate user
• Successful attack on DNS server does not give
  root
• Run in chroot environment
• Successful attack doesnt expose entire server

7
Internal BIND Configuration

• named.conf
• options
• forward only
• forwarders 1.2.3.4 1.2.3.5
• zone foo.net
• type master
• file foo.net
• No root hints file
• Zone files contain full info

8
DMZ BIND Configuration

• named.conf
• acl slaves 10.1.2.3 192.168.1.1
• options
• version
• directory / Really /var/named
• named-xfer /bin/named.xfer
• allow-transfer slaves
• zone . type hint file root.hints
• zone foo.net type master file foo.net
• Zone files contain only external hosts

9
Running BIND as Non-root User

• Very simple starting with BIND 8
• named u bind g bind
• The only things the bind user should be able to
  write to are files for slave zones
• By default, these are dumped into the main
  directory (from named.conf) with somewhat random
  names
• This directory, therefore, would need to be
  writeable by bind
• Best to specify specific filenames for each slave
  zone in named.conf and make only those files
  writeable by bind

10
Running BIND in chroot

• Looks simple
• named t /var/named
• syslog
• Cant get at /var/run/log (or /dev/log or
  whatever)
• syslog l /var/named/var/run/log
• holelogd from Obtuse Systems utils package
• ndc
• named makes a UNIX socket for ndc to talk to
• mkdir /var/named/var/run
• ln s /var/named/var/run/ndc /var/run/ndc

11
Running BIND in chroot, cont.

• Slaves
• Zone transfers to slaves use named-xfer
• Must reside in chroot directory
• Probably will require some dynamic libraries (or
  compile a static version of named-xfer)
• /usr/libexec/ld-elf.so.1
• /usr/lib/libutil.so.3
• /usr/lib/libc.so.4

12
ndc

• ndc, for the most part, works fine (reload, stop,
  etc.) with all of this special configuration
• Need symlink from the real /var/run/ndc to the
  chroot /var/run/ndc if chrootd
• ndc start fires up named with no arguments
• ndc start u bind g bind t /var/named

13
Complications

• Subdomains
• client.foo.net queries intradns.foo.net for
  host.sub.foo.net
• Intradns ignores delegation and forwards query to
  bastion host
• Bastion host is authoritative for (limited)
  foo.net, doesnt know about sub.foo.net, and thus
  returns NXDOMAIN

14
Complications, cont.

• Subdomains, cont.
• If you are big enough to need subdomains, you can
  probably afford a couple extra PCs to separate
  external DNS from forwarders
• See DNS Bind (DNS and Internet Firewalls
  section) for extensive discussion of problems and
  solutions

15
Complications, cont.

• Double-reverse DNS lookups
• Performed by many FTP sites
• Server looks up hostname associated with
  connecting IP
• Server then looks up IP associated with that
  hostname
• This IP must match original
• Requires unique A and PTR records for all public
  IPs
• Good case for proxies or NAT/PAT (masquerading)

16
Mail
17
Goals

• Separate internal and external mail servers
• Protects internal mail server(s) from attack
• Provides choke point to apply filters
• Masquerading
• Virus scanning
• Run as separate user
• Run in chroot environment
• Sendmail does not have a built-in chroot feature
• Would be a good idea if your MTA supports it

18
Internal Sendmail Configuration

• FEATURE(local_procmail')dnl
• FEATURE(mailertable')dnl
• MAILER(local')dnl
• MAILER(smtp')dnl
• define(SMART_HOST', bastion.foo.net')dnl

19
Internal Sendmail Config, cont.

• /etc/mail/mailertable
• foo.net local
• .foo.net local
• /etc/mail/relay-domains
• foo.net

20
DMZ Sendmail Configuration

• MASQUERADE_AS(foo.net')dnl
• FEATURE(mailertable')dnl
• FEATURE(access_db)dnl
• MAILER(smtp')dnl
• define(confRUN_AS_USER', mailmail')dnl
• define(confSMTP_LOGIN_MSG', ')dnl
• define(confPRIVACY_FLAGS', goaway')dnl

21
DMZ Sendmail Config, cont.

• /etc/mail/mailertable
• foo.net smtpmailhub.foo.net
• .foo.net smtpmailhub.foo.net
• /etc/mail/access
• Connectmailhub.foo.net RELAY
• Tofoo.net RELAY

22
Running Sendmail as Non-root User

• Queue should be owned by mail user so that
  Sendmail can queue mail temporarily
• Otherwise user should have no privileges

23
References

• BIND
• Grasshopper (Cricket) book (OReilly)
• Building Internet Firewalls (OReilly)
• Linux HOWTO
• Sendmail
• www.sendmail.org (Configuration Information)
• www.sendmail.net (Good release notes)
• ofb.net/jheiss/sendmail_proxy.shtml
• Bat book (OReilly)