LR06 Report PDF

Preview

Summary

Tutorial working around the lab report in regard to lab 6, with information, and question answers w/ explanations...

Description

Information Sciences and Technology Department Network Services Fall 2171 – Lab 6 Report Template Name:

1. Final Network Topology (10 points) Produce an electronically generated topology of the network at the completion of Lab 6. Be sure to include all relevant information, hostnames for each device, IPv4 addresses, network masks, gateways and domain/zone information. Identify all DNS servers and clients used in the lab, including the parent, child, and any secondary DNS servers. You may include some of the information in a table, if the diagram gets too busy.

Arcoraci

Fall 2171

Information Sciences and Technology Department 2. Adding a new Zone to Windows Server 2016 (10 points) Include the capture of the network trace of the zone transfer between Windows Server 2016 and CentOS 7. Expand the DNS zone transfer message and explain what information is being sent to the CentOS 7 secondary server. Include a screenshot of the expanded AXFR message and explain any changes made to named.conf or any zone data files created in /var/named after the zone transfer succeeds. Explain changes that occurred as result of the transfer, not the configuration changes made by you. Zone change notifications from Windows 2016 and CentOS 7:

-As you can see, I just wanted to display the zone change notifications I captured for the connections between the windows server primary and the CentOS secondary server. I will reference below a few of the packets and explain what they are doing in regards to updating and checking the resource records of the secondary and primary server.

Zone change Packet No. 6:

Arcoraci

Fall 2171

Information Sciences and Technology Department Looking at packet number 6 in the Wireshark capture we can see that the Cent0S 7 server is requesting a zone change/update in reference to it’s start of authority! To make sure that it is matched up with the primary Windows Server 2016’s zone information the primary server answers back to the secondary server returning the zone information of myco.dmg7152.com. Added/Changes in named.conf: zone “therico.myco.dmg7152.com” IN { type slave; file “slaves/therico.myco.dmg7152.com.dns”; masters {10.150.71.2;}; }; -Added a zone declaration to the named.conf of the CentOS server because we need to declare the new zone that we created on the Window’s primary server so that it can referenced/acknowledged as a slave on the CentOS server. /var/named/slaves created a therico.myco.dmg7152.dns zone file after the transfer:

Contents of the new file added to slaves:

-After the first zone transfer the forward zone lookup file was added to the slave’s directory of the CentOS server so that it could make sure its resource records are up to date and valid. (5 points) What command and arguments were used to convert the RAW data to TEXT data for zone data file transferred to the Linux secondary server. In your own words explain what command and any associated arguments were used and their purpose. Code Examples: convert raw zone file "example.net.raw", containing data for zone example.net, to text-format zone file "example.net.text": Command -> [named-compilezone -f raw -F text -o example.net.text example.net example.net.raw] -f raw –file raw: file being passed in -F text –file text: file being created from -f file

Arcoraci

Fall 2171

Information Sciences and Technology Department convert text format zone file "example.net.text", containing data for zone example.net, to raw zone file "example.net.raw" Command -> [named-compilezone -f text -F raw -o example.net.raw example.net example.net.text] -f text –file text: file being passed in -F raw –file raw: file being created from -f file

-[The “named-compilezone” utility, which is part of the BIND distribution, can be used to convert zones from text to raw and from raw to text. (https://kb.isc.org/article/AA-00608/0/Converting-ZoneFiles-Between-Text-and-Raw-Formats.html)] Conversion Command:

Before conversion:

After conversion:

3. Delegation (10 points) Use your network trace to explain what is happening and the behavior of the DNS traffic between the parent and child domain servers. Be sure to include the network trace in your answer and explain in detail the changes that occurred and why the requests are successful. You must use the network trace as evidence to support your answer, failure to provide the network trace may result in receiving zero points for this question.

Arcoraci

Fall 2171

Information Sciences and Technology Department

Delegation shown on Windows Server 2016:

Delegation using dig on the domain name address:

Explanation for Wireshark Cap and the DIG: As you can see below, when a request is made to query the child domain name server what happens is that the sub-domain declared in centservchild.myco.dmg7152.com will be managed by that name server itself. But when a query is made to it’s domain it must be referenced with it’s parent server [centserv.myco.dmg7152.com.], the primary authoritative name server! The way this is done is

Arcoraci

Fall 2171

Information Sciences and Technology Department called a glue record, a term for a record that's served by a DNS server that's not authoritative for the zone, to avoid a condition of impossible dependencies for a DNS zone. What glue records do is to allow the child domain name servers to send extra information in their response to the query for the domain [myco.dmg7152.com]. Even though it’s not authoritative, it's a pointer to the authoritative server, allowing for the loop to be resolved. As you can below in the Wireshark captures and above by the dig capture the child domain name server is properly delegated to the primary.

Wireshark Traces: DNS Query Request:

Arcoraci

Fall 2171

Information Sciences and Technology Department

DNS Query Response:

(5 points) Explain the importance of recursion with regards to the delegation, particularly if recursion is not allowed by the parent name server. Recursion in a sense is a security threat because attackers can use recursion to deny the DNS Server service. A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic. If any DNS server in your network is not intended to

Arcoraci

Fall 2171

Information Sciences and Technology Department receive recursive queries, recursion should be disabled on that server to help protect against infiltration. 4. Reverse Delegation (10 points) Include in your report the screenshots of the changes made to the parent zone data file and the reverse zone data file for the child domain. Explain the resource records that were added to the files and why they are needed. Parent Zone Data File: 1. Add a zone definition for the child zone and the named.conf of the parent and also allow transfer: zone "centservchild.myco.dmg7152.com" in{ type slave; file "slaves/centservchild.myco.dmg7152.com.dns"; masters { 10.150.71.17 ; }; }; allow-transfer { 10.150.71.2; 10.150.71.17; key centserv_centservchild. ;}; -these two statements allow the parent name server to recognize the child domain name server and also allowing transfer is what helps the parent dns server perform updates to make sure that the child nameserver’s resource records match it’s own. 2. Add CNAME resources records to the reverse zone file for the devices and also declare the nameserver as well: ;ns for the child domain 16-28 IN NS centservchild.myco.dmg7152.com ;child server 17 18 19

IN IN IN

CNAME 17.16-28.71.150.10.in-addr.arpa. ;maps to child CNAME 18.16-28.71.150.10.in-addr.arpa. ;maps to host1 CNAME 19.16-28.71.150.10.in-addr.arpa. ;maps to host2

- Here is my name-server and subnet declaration for the Child DNS server [centservchild.myco.dmg7152.com]. This is what allows the parent server[centserv.myco.dmg7152.com] to lookup centservchild, host1, and host2. An interesting thing is that since the CNAME directive is used that means that we do not need to declare a forward lookup for either of the child’s hosts and the child’s nameserver, which is quite nice! (5 points) In your own words summarize the technique explained in RFC 2317. Classless in-addr.arpa. delegation is what RFC2317 is. This form of delegation allows administrators to provide an authoritative reverse DNS on subnets that don’t fall on octet boundaries. This is means that that it is able to work with subnets comprised of less than eight bits in the host portion of the address! This is a very complex idea and allows you to be able to not have to give out all of your address space when working with these subnets. 5. DNS Topology

Arcoraci

Fall 2171

Information Sciences and Technology Department (20 points) In your lab report, include an electronically generated DNS topological diagram. A diagram showing which client uses which DNS server as its primary and secondary DNS server. It also shows the relationship between primary and secondary servers, as well as the delegation between parent and child domain servers. Be sure to include all DNS suffixes in the diagram and label each server as primary or secondary. Do not show the virtual connections, this diagram should only show how DNS traffic is being exchanged between the primary, secondary, and child name servers and the clients (resolvers). Use a solid arrow ( ) to illustrate DNS messages between a client and its primary name server. If a loopback is involved use a double ended solid arrow ( ). Use a dashed arrow ( and its secondary DNS server. Use a thick arrow ( specific zone.

myco.com

) to illustrate DNS messages being exchanged between a client ) and label it to denote a master and slave relationship for a

For a parent zone that delegates to a child use a red arrow dotted arrow (

Arcoraci

).

Fall 2171

Information Sciences and Technology Department

6. DNSSEC

Arcoraci

Fall 2171

Information Sciences and Technology Department (5 points) Include the command used to create the TSIG key for the zone transfer for your domain. In your own words, explain all the arguments used in the command and their purpose. Hint: The dnsseckeygen utility has a man page. Command: [dnssec-keygen -a hmac-sha256 -b 112 -n HOST centserv_centservchild] -a: defining the type encryption that will be used to generate the keys hmac-sha256: the actual type of encryption being used by the key algorithm -b: defining the size in bits of the key -n: specifieds the owner of the key being created HOST: key is associated with the host centserv_centservchild: name associated with the genrated key Keys Created: Key File:

Private Key File[used in DNSSEC]:

(5 points) What are the recommendations of NIST as it relates to the algorithm and key size used to create TSIG keys? Based on the man of [dnssec-keygen], the recommendations for keys size for the following algorithm goes as follows: “Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter. The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with -f KSK). However, if an algorithm is explicitly specified with the -a, then there is no default key size, and the -b must be used.”

Arcoraci

Fall 2171

Information Sciences and Technology Department (5 points) In your own words explain the concept of a “Chain of Trust” as it relates to DNSSEC. The DNSSEC (Domain Name System Security Extensions) “chain of trust” is technically just an electronic signature, or can be known as a “handshake”, at each DNS lookup-node. In summary, it is a chain of lookups that can become validated because of the domain name's digial signature that secures the request through all lookup nodes. This makes sure that no attacker can slip into the lookup path and redirect the lookup to a phishing site for instance. (5 points) In your own words explain the purpose of the Key Signing Key and the Zone Signing Key. Keys in the DNS servers records can be used for two different things actually, and typically different records are used for each. First, there are key signing keys (known as KSK) which are used to sign other DNSKEY records. Second, there are zone signing keys (known as ZSK) which are used to sign other records not affiliated with DNSKEY.

(5 points) Use the screenshot from the “dig myco.abc1234.com command and explain the information it provides as it pertains to DNSEC. DIG Capture:

Explanation: As you can see, when we do a dig on our domain name with the +dnssec[signed] we get the two AUTHORITATIVE name-servers used by our domain and also the SOA and RSIG key combinations used by both servers. The reason DNSSEC does not return the child domain name server is because it is not authoritative. This in factor makes it not important to when we dig for DNSSEC. In fact, DNSSEC is what allows us to secure our authoritative servers using key encryption methods. Through this key encryption we can secure our signed data and make sure that they are valid.

Arcoraci

Fall 2171

Information Sciences and Technology Department When submitting your document please save it in the following format, use LR07 (for Lab Report 07), followed by an underscore, followed by the first initial of your first name in uppercase, and your entire last name with the first letter in uppercase. Example: LR07_GArcoraci.doc.

Arcoraci

Fall 2171...