Upgrade Secondary DNS Server

Upgrade Secondary DNS Server
Version 1.0
Author: gtoms<henry at gultom dot or dot id>
Last edited 30/07/2008

Proses hard upgrade secondary DNS Server :

- Backup File dan Konfigurasi Secondary DNS Server (/etc/bind dsb)
- Disconnect Secondary DNS Server.
- Instal sistem operasi Secondary DNS baru menggunakan sistem operasi linux dengan distro kesayangan saya yaitu : mbah Debian yang saat ini sudah versi 4.0 release 3 dengan kode nama Etch.
- Install software DNS Server yang versi terbaru dalam hal ini menurut rilis Debian Security adalah bind9_9.3.4-2etch3_i386.deb sampai dengan tanggal 30 Juli 2008.
- Konfigurasi Bind-Chroot(Debian).
- Menyesuaikan konfigurasi Bind (/etc/bind)
- Testing terhadap vulnerable DNS cache poisoning
- Optimalkan firewal
- Monitoring & Maintenance

Saya menggunakan installer Debian Network install from a minimal CD(netinst) sebesar 180 MB, dan di burn ke cdrom, lalu hanya menginstall system nya saja dan software-software pendukung diinstall menyusul melalui repositori debian atau dari official situs software tersebut.
Uuntuk sebuah DNS cukuplah menset partisi sbb:
/
swap
/home

Untuk Instalasi Sistem operasi Linux Debian 4.0 bisa melihat langkah dan screenshotnya di :
http://www.howtoforge.com/perfect_setup_debian_etch
tidak semua dalam langkah di website itu saya terapkan, jadi sesuaikan sesuai kebiasaan kita menginstall server debian dengan hasil yang sudah kita ketahui sebelumnya.
Menginstall sistem operasi Debian itu tidalah sulit jika sudah memahami prosesnya, tinggal enter dan mengikuti petunjuk instalasi. Update network mirrornya menggunakan repositori di Indonesia bisa ke vlsm.org atau indika.net.id keduanya terdaftar di Network Mirror pada Debian installer Netinst.

Berikut copy paste dari konsol yang sempat terdokumentasikan dan beberapa bagian ada yg tidak terdokumentasi atau telah saya edit :

Setelah proses instalasi sistem operasi selesai, edit /etc/apt/sources.list untuk menggunakan network mirror, lalu update, dan upgrade agar sistem operasi ini benar-benar up to date.

poison:/home/gtoms# apt-get update

poison:/home/gtoms# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages will be upgraded:
linux-image-2.6.18-6-686
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 16.3MB of archives.
After unpacking 1819kB disk space will be freed.
Do you want to continue [Y/n]? y
Get:1 http://security.debian.org etch/updates/main linux-image-2.6.18-6-686 2.6.18.dfsg.1-18etch6 [16.3MB]
Fetched 16.3MB in 4m27s (61.1kB/s)
Preconfiguring packages ...
(Reading database ... 18560 files and directories currently installed.)
Preparing to replace linux-image-2.6.18-6-686 2.6.18.dfsg.1-18etch1 (using .../linux-image-2.6.18-6-686_2.6.18.dfsg.1-18etch6_i386.deb) ...
The directory /lib/modules/2.6.18-6-686 still exists. Continuing as directed.
Done.
Unpacking replacement linux-image-2.6.18-6-686 ...
Running postrm hook script /sbin/update-grub.
You shouldn't call /sbin/update-grub. Please call /usr/sbin/update-grub instead!

Searching for GRUB installation directory ... found: /boot/grub
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-2.6.18-6-686
Updating /boot/grub/menu.lst ... done

Setting up linux-image-2.6.18-6-686 (2.6.18.dfsg.1-18etch6) ...

Hmm. The package shipped with a symbolic link /lib/modules/2.6.18-6-686/source
However, I can not read the target: No such file or directory
Therefore, I am deleting /lib/modules/2.6.18-6-686/source

Running depmod.
Finding valid ramdisk creators.
Using mkinitramfs-kpkg to build the ramdisk.
Not updating initrd symbolic links since we are being updated/reinstalled
(2.6.18.dfsg.1-18etch1 was configured last, according to dpkg)
Not updating image symbolic links since we are being updated/reinstalled
(2.6.18.dfsg.1-18etch1 was configured last, according to dpkg)
Running postinst hook script /sbin/update-grub.
You shouldn't call /sbin/update-grub. Please call /usr/sbin/update-grub instead!

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul 27 20:52:16 2008 from ip134.215.infoasixxxx.xxx
gtoms@poison:~$

Melengkapi Debian building tools :

poison:/home/gtoms# apt-get install devscripts
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
binutils dpkg-dev make
Suggested packages:
binutils-doc devscripts-el build-essential cvs-buildpackage cvs subversion tla bazaar debian-keyring dupload dput gnuplot libtimedate-perl libwww-perl
lintian linda patchutils wdiff make-doc-non-dfsg
Recommended packages:
fakeroot gcc c-compiler bzip2
The following NEW packages will be installed:
binutils devscripts dpkg-dev make
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 3540kB of archives.
After unpacking 10.8MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://debian.indika.net.id etch/main binutils 2.17-3 [2605kB]
Get:2 http://debian.indika.net.id etch/main make 3.81-2 [382kB]
Get:3 http://debian.indika.net.id etch/main dpkg-dev 1.13.25 [166kB]
Get:4 http://debian.indika.net.id etch/main devscripts 2.9.26 [386kB]
Fetched 3540kB in 2s (1579kB/s)
Selecting previously deselected package binutils.
(Reading database ... 18560 files and directories currently installed.)
Unpacking binutils (from .../binutils_2.17-3_i386.deb) ...
Selecting previously deselected package make.
Unpacking make (from .../archives/make_3.81-2_i386.deb) ...
Selecting previously deselected package dpkg-dev.
Unpacking dpkg-dev (from .../dpkg-dev_1.13.25_all.deb) ...
Selecting previously deselected package devscripts.
Unpacking devscripts (from .../devscripts_2.9.26_i386.deb) ...
Setting up binutils (2.17-3) ...

Setting up make (3.81-2) ...
Setting up dpkg-dev (1.13.25) ...
Setting up devscripts (2.9.26) ...

Instalasi Bind9 :

poison:/home/gtoms# apt-get install bind9 bind9-doc dnsutils
Reading package lists... Done
Building dependency tree... Done
dnsutils is already the newest version.
The following NEW packages will be installed:
bind9 bind9-doc
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 486kB of archives.
After unpacking 1393kB of additional disk space will be used.
Get:1 http://security.debian.org etch/updates/main bind9 1:9.3.4-2etch3 [297kB]
Get:2 http://security.debian.org etch/updates/main bind9-doc 1:9.3.4-2etch3 [190kB]
Fetched 486kB in 4s (112kB/s)
Selecting previously deselected package bind9.
(Reading database ... 18963 files and directories currently installed.)
Unpacking bind9 (from .../bind9_1%3a9.3.4-2etch3_i386.deb) ...
Selecting previously deselected package bind9-doc.
Unpacking bind9-doc (from .../bind9-doc_1%3a9.3.4-2etch3_all.deb) ...
Setting up bind9 (9.3.4-2etch3) ...
Adding group `bind' (GID 104) ...
Done.
Adding system user `bind' (UID 104) ...
Adding new user `bind' (UID 104) with group `bind' ...
Not creating home directory `/var/cache/bind'.
wrote key file "/etc/bind/rndc.key"
Starting domain name service...: bind.

Setting up bind9-doc (9.3.4-2etch3) ...
poison:/home/gtoms#

Konfigurasi Bind-Chroot(Debian)
Chroot pada linux base operating system merupakan prosedur yang melakukan perubahan root directory yang terlihat bagi sebuah service yang sedang berjalan dan child process nya. Pada saat service pada moda chroot dijalankan, service tersebut membutuhkan ruang, file konfigurasi, node device dan shared library yang sudah diset sebelumnnya.

poison:/home/gtoms# /etc/init.d/bind9 stop
Stopping domain name service...: bind.

poison:/home/gtoms# nano /etc/default/bind9
#edit dan ganti menjadi#
OPTIONS="-u bind -t /var/lib/named"

poison:/home/gtoms# mkdir -p /var/lib/named/etc
poison:/home/gtoms# mkdir /var/lib/named/dev
poison:/home/gtoms# mkdir -p /var/lib/named/var/cache/bind
poison:/home/gtoms# mkdir -p /var/lib/named/var/run/bind/run
poison:/home/gtoms# mv /etc/bind /var/lib/named/etc
poison:/home/gtoms# ln -s /var/lib/named/etc/bind /etc/bind
poison:/home/gtoms# mknod /var/lib/named/dev/null c 1 3
poison:/home/gtoms# mknod /var/lib/named/dev/random c 1 8
poison:/home/gtoms# chmod 666 /var/lib/named/dev/*
poison:/home/gtoms# chown -R bind:bind /var/lib/named/var/*
poison:/home/gtoms# chown -R bind:bind /var/lib/named/etc/bind

Menyesuaikan konfigurasi file DNS untuk Secondary dan mencopy zone-zone DNS Forward dan Reverse.
poison:/home/gtoms# cd /etc/bind
poison:/etc/bind# ls
db.0 db.127 db.255 db.empty db.local db.root named.conf named.conf.local named.conf.options rndc.key zones.rfc1918 zones
cek satu persatu dan sesuaikan sebagai secondary DNS.

Mengatur log Bind :
poison:/home/gtoms# nano /etc/default/syslogd
SYSLOGD="-a /var/lib/named/dev/log"

poison:/home/gtoms# /etc/init.d/sysklogd restart
Restarting system log daemon: syslogd.
poison:/home/gtoms#

poison:/home/gtoms# /etc/init.d/bind9 start
Starting domain name service...: bind.

Cek service named sudah running ke IP dan port 53
poison:/home/gtoms# netstat -nltup

Contoh output perintah diatas ini sudah saya edit :

tcp 0 0 202.51.xxx.x:53 0.0.0.0:* LISTEN 2xxx/named
udp 0 0 202.51.xxx.x:53 0.0.0.0:* 2xxx/named

poison:/home/gtoms# tail -f /var/log/syslog
------------edit-----------------
Jul 27 22:17:26 poison named[2779]: starting BIND 9.3.4-P1.1 -u bind -t /var/lib/named
Jul 27 22:17:26 poison named[2779]: found 1 CPU, using 1 worker thread
Jul 27 22:17:26 poison named[2779]: loading configuration from '/etc/bind/named.conf'
Jul 27 22:17:26 poison named[2779]: listening on IPv6 interfaces, port 53
Jul 27 22:17:26 poison named[2779]: listening on IPv4 interface lo, 127.0.0.1#53
Jul 27 22:17:26 poison named[2779]: listening on IPv4 interface eth0, 202.51.xxx.xxx#53
Jul 27 22:17:26 poison named[2779]: listening on IPv4 interface eth0:0, 202.51.xxx.#53
Jul 27 22:17:26 poison named[2779]: command channel listening on 127.0.0.1#953
Jul 27 22:17:26 poison named[2779]: command channel listening on ::1#953
Jul 27 22:17:26 poison named[2779]: zone 0.in-addr.arpa/IN: loaded serial 1
Jul 27 22:17:26 poison named[2779]: zone 127.in-addr.arpa/IN: loaded serial 1
Jul 27 22:17:26 poison named[2779]: zone 255.in-addr.arpa/IN: loaded serial 1
..................................
..........................

Install Konfigurasi Iptables for DNS Firewall dan Fail2ban

poison:/home/gtoms# apt-get install fail2ban
Reading package lists... Done
Building dependency tree... Done
Suggested packages:
python-gamin
The following NEW packages will be installed:
fail2ban
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 63.6kB of archives.
After unpacking 500kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
fail2ban
Install these packages without verification [y/N]? y
Get:1 http://debian.indika.net.id etch/main fail2ban 0.7.5-2etch1 [63.6kB]
Fetched 63.6kB in 0s (179kB/s)
Selecting previously deselected package fail2ban.
(Reading database ... 19371 files and directories currently installed.)
Unpacking fail2ban (from .../fail2ban_0.7.5-2etch1_all.deb) ...
Setting up fail2ban (0.7.5-2etch1) ...

poison:/home/gtoms#nano /etc/fail2ban/jail.local

poison:/etc/fail2ban# /etc/init.d/fail2ban restart

poison:/home/gtoms# /etc/init.d/fail2ban status
Status of authentication failure monitor: fail2ban is running

poison:/etc/fail2ban# /etc/init.d/fail2ban restart
Restarting authentication failure monitor: fail2ban.

poison:/etc/fail2ban# tail -f /var/log/fail2ban.log
2008-07-27 16:19:08,797 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2008-07-27 16:19:08,801 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2008-07-27 16:19:08,805 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2008-07-27 16:19:08,810 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2008-07-27 16:19:08,813 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2008-07-27 16:19:11,403 fail2ban.actions: WARNING [ssh] Ban 201.168.65.23

poison:/etc/fail2ban# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP 0 -- ip-201-168-65-23.marcatel.net.mx anywhere
RETURN 0 -- anywhere anywhere
poison:/etc/fail2ban#

Testing ke domain-domain di internet :

poison:/etc/fail2ban# nslookup
poison:/etc/fail2ban# dig namadomainkantor.net.id

poison:/etc/fail2ban# dig gtoms.com

; <<>> DiG 9.3.4-P1.1 <<>> gtoms.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53514
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;gtoms.com. IN A

;; ANSWER SECTION:
gtoms.com. 14400 IN A 202.80.126.18

;; AUTHORITY SECTION:
gtoms.com. 86400 IN NS ns1.gtoms.com.
gtoms.com. 86400 IN NS ns2.gtoms.com.

;; Query time: 290 msec
;; SERVER: 202.51.xxx.x#53(202.51.xxx.x)
;; WHEN: Sun Jul 27 16:22:47 2008
;; MSG SIZE rcvd: 79

poison:/etc/fail2ban# host -t mx gtoms.com
gtoms.com mail is handled by 0 gtoms.com.

poison:/etc/fail2ban# dig google.com

; <<>> DiG 9.3.4-P1.1 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54839
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 300 IN A 64.233.167.99
google.com. 300 IN A 64.233.187.99
google.com. 300 IN A 72.14.207.99

;; AUTHORITY SECTION:
google.com. 345600 IN NS ns1.google.com.
google.com. 345600 IN NS ns2.google.com.
google.com. 345600 IN NS ns3.google.com.
google.com. 345600 IN NS ns4.google.com.

;; Query time: 211 msec
;; SERVER: 202.51.xxx.x#53(202.51.xxx.x)
;; WHEN: Sun Jul 27 16:24:56 2008
;; MSG SIZE rcvd: 148

poison:/etc/fail2ban# dig yahoo.com

; <<>> DiG 9.3.4-P1.1 <<>> yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45131
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 2

;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 21600 IN A 68.180.206.184
yahoo.com. 21600 IN A 206.190.60.37

;; AUTHORITY SECTION:
yahoo.com. 171199 IN NS ns1.yahoo.com.
yahoo.com. 171199 IN NS ns2.yahoo.com.
yahoo.com. 171199 IN NS ns3.yahoo.com.
yahoo.com. 171199 IN NS ns4.yahoo.com.
yahoo.com. 171199 IN NS ns5.yahoo.com.
yahoo.com. 171199 IN NS ns6.yahoo.com.
yahoo.com. 171199 IN NS ns8.yahoo.com.

;; ADDITIONAL SECTION:
ns6.yahoo.com. 171199 IN A 202.43.223.170
ns8.yahoo.com. 171199 IN A 202.165.104.22

;; Query time: 69 msec
;; SERVER: 202.51.xxx.x#53(202.51.xxx.x)
;; WHEN: Sun Jul 27 16:25:01 2008
;; MSG SIZE rcvd: 217

poison:/etc/fail2ban# traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 72.14.235.99
traceroute to www.l.google.com (72.14.235.99), 30 hops max, 40 byte packets
1 xxxxxxxxxxxxxxxxxxxxxxxxxxxx 0.443 ms 0.420 ms 0.401 ms
2 xxxxxxxxxxxxxxxxxxxxxxxxxxxx 0.806 ms 0.753 ms 0.770 ms
3 ge-0-1-0.gw-01.jkt.indosat.net.id (202.155.27.29) 0.826 ms 0.875 ms 0.745 ms
4 ge-0-2-0.distri-04.jkt.ipbb.indosat.net.id (202.155.137.17) 0.906 ms 0.990 ms 0.793 ms
5 202.93.46.219 (202.93.46.219) 0.918 ms 0.970 ms 0.728 ms
6 202.93.41.113 (202.93.41.113) 62.176 ms 62.408 ms 62.521 ms
7 72.14.196.77 (72.14.196.77) 62.386 ms 64.191 ms 62.824 ms
8 64.233.175.209 (64.233.175.209) 62.111 ms 63.149 ms 62.156 ms
9 209.85.250.120 (209.85.250.120) 84.550 ms 209.85.240.28 (209.85.240.28) 79.913 ms 79.680 ms
10 209.85.243.23 (209.85.243.23) 82.914 ms 85.458 ms 209.85.250.101 (209.85.250.101) 84.707 ms
11 72.14.232.217 (72.14.232.217) 93.618 ms 72.14.232.221 (72.14.232.221) 85.379 ms 95.766 ms
12 tw-in-f99.google.com (72.14.235.99) 84.124 ms 82.807 ms 84.274 ms

Testing terhadap vulnerable dns cache poisoning menggunakan http://www.doxpara.com/
Your name server, at 202.51.xxx.x, appears to be safe, but make sure the ports listed below aren't following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100...).Requests seen for 306343ed515c.doxdns5.com:
202.51.xxx.x:31446 TXID=27296
202.51.xxx.x:6985 TXID=23960
202.51.xxx.x:51540 TXID=60774
202.51.xxx.x:64725 TXID=13103
202.51.xxx.x:30809 TXID=7513

Testing terhadap vulnerable dns cache poisoning menggunakan nameserver kantor :
gtoms@poison:~$ dig +short @ns2.domainkantor.net.id porttest.dns-oarc.net TXT
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"202.51.xxx.x is GREAT: 26 queries in 7.4 seconds from 26 ports with std dev 18904"

Dokumentasi capture :

Disclaimer:
******************************************************

This website was created for the author's personal use and entertainment. There is absolutely no warranty. Use entirely at your own risk.

Any information contained herein is freely available elsewhere and simply reinterpreted, or more likely misinterpreted, and cannot be assumed to be accurate. There are mistakes in this website and there may or may not be any effort to correct those mistakes in the future.

The author accepts no responsibility for any loss or damage caused by the use, lack of use, or misuse, of information contained in this website.

Where links are provided to other websites, the author accepts no responsibility and shall not be liable, either directly or indirectly for the content, legality, accuracy, reliability, suitability, quality or decency of content, information, product, advice or services provided by and contained in those sites.

Downloading any information from the Internet is done at your own risk, and the risk can be substantial. You knew that, right?

All trademarks are the property of their respective owners.

Baca juga :

Index

Henry Gultom
henry at gultom dot or dot id
JUL 30 2008