DNS master-slave Securing zone transfer with TSIG

Install bind-chroot on both servers

# yum install bind-chroot

From Primary DNS

# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+50029

The output tells us the name of the file containing our new key: in this case
Kmaster-slave.+157+50029.private. The numbers are the DNSSEC algorithm
(157=HMACMD5), and the key’s fingerprint (50029) which will probably be different on your machine

From Kmaster-slave+157.50029.private we will extract the shared key:
# cat Kmaster-slave+157.50029.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: axdafafFTdafaCSDF090DSDs==

The key here is axdafafFTdafaCSDF090DSDs==; this will be different in your file. Keep track of this file;
we will need it for testing our configuration later.

On both the master and slave name server, create a new file called /var/named/chroot/etc/transfer.key with
the following contents:

key “master-slave.” {
algorithm hmac-md5;
secret “axdafafFTdafaCSDF090DSDs==”;
};

Protect the contents of the transfer.key so only the nameserver can read it and only root can write to it:
# chown root:named /var/named/chroot/etc/transfer.key
# chmod 640 /var/named/chroot/etc/transfer.key
# ln -s /var/named/chroot/etc/transfer.key /etc/transfer.key

In /var/named/chroot/etc/named.conf on both the master and slave server, add the following lines at the very top of the file

include “/etc/transfer.key”;
On the slave server, prohibit all zone transfer from anywhere. Add the line in to your options block.

options {
allow-transfer { none; };

Slave DNS

# vi /etc/named.conf

Add the following lines

include “/etc/transfer.key”;
server 208.67.222.22 {
keys { master-slave.; };
};

On the master server, change the allow-transfer line to your options block so it appears as follows:
# vi /etc/named.conf

include “/etc/transfer.key”;
options {
listen-on port 53 { 127.0.0.1; 192.168.1.1; 208.67.222.22; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
query-source port 53;
query-source-v6 port 53;
allow-query { localhost; any; };
allow-transfer { key master-slave.; };
allow-notify { 208.67.222.23; };
version “Bind”;
};

Now restart both servers

lordfrancs3
lordfrancs3

Lordfrancis3 is a member of PinoyLinux since its establishment in 2011. With a wealth of experience spanning numerous years, he possesses a profound understanding of managing and deploying intricate infrastructure. His contributions have undoubtedly played a pivotal role in shaping the community's growth and success. His expertise and dedication reflect in every aspect of the journey, as PinoyLinux continues to champion the ideals of Linux and open-source technology. LordFrancis3's extensive experience remains an invaluable asset, and his commitment inspires fellow members to reach new heights. His enduring dedication to PinoyLinux's evolution is truly commendable.

Articles: 32

Leave a Reply

Your email address will not be published. Required fields are marked *

Protected by CleanTalk Anti-Spam