DNS Workshop

Friday Feb 28, 2014

Delve deep into DNSSEC

BIND 9.10 is the new version of the BIND 9 DNS server from ISC http://isc.org (not to confuse with BIND 10, which is a different DNS server product). I will report in a series of articles about the new features in BIND 9.10. The first beta version of BIND 9.10 has been released this week and can be found at ftp://ftp.isc.org/isc/bind9/9.10.0b1/.

BIND 9.10 contains a new command-line tool to test DNSSEC installations. The tool is called delve and it works very much like the already know dig. It is like dig with special DNSSEC validation powers.

[Read More]

Saturday Feb 08, 2014

Compiling BIND 9.9.5 on OpenBSD

while compiling BIND 9 Version 9.9.5 on OpenBSD, I've got

making all in /usr/src/bind-9.9.5/lib/lwres/unix/include/lwres
gcc  -I/usr/src/bind-9.9.5 -I./unix/include  -I. -I./include -I./include
- -I/usr/src/bind-9.9.5/lib/isc/include  -I../../lib/isc
- -I../../lib/isc/include  -I../../lib/isc/unix/include
- -I../../lib/isc/nothreads/include  -I../../lib/isc/x86_32/include
- -g -O2   -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings
- -Wformat -Wpointer-arith -fno-strict-aliasing  -c gethost.c
gethost.c: In function `copytobuf':
gethost.c:307: error: `uintptr_t' undeclared (first use in this function)
gethost.c:307: error: (Each undeclared identifier is reported only once
gethost.c:307: error: for each function it appears in.)
*** Error code 1

Stop in /usr/src/bind-9.9.5/lib/lwres.
*** Error code 1

Stop in /usr/src/bind-9.9.5/lib (line 103 of Makefile).
*** Error code 1

Stop in /usr/src/bind-9.9.5 (line 107 of Makefile).
adding
#ifdef HAVE_INTTYPES_H
#include <inttypes.h> /* uintptr_t */
#endif

to the file <bind9-source>/lib/lwres/gethost.c fixes this issue (type "uintptr_t" not known). This issue has been reported upstream to ISC and will be fixed in the next BIND 9 release.

Sunday Nov 04, 2012

DNSSEC with PowerShell und dnscmd (on Windows 2012)

Windows 2012 can DNSSEC sign zones using the GUI Management tools. That works fine for a handfull of zones. But how about automation, signing hundreds of zones? Windows 2012 could be used as a "hidden master" DNSSEC signing engine that provides DNSSEC signed zones to Unix based front-end servers, while automating the key rollovers and continuous re-singing of the zones to refresh the record signatures. In that scenario, automation can be important.

dnscmd

One automation option is the dnscmd tool. However, dnscmd is deprecated and might be removed from future versions of Windows. The more modern way is to use PowerShell (see below).

Usage: DnsCmd <ServerName> /ZoneAddSKD <ZoneName> /Alg <KeyAlg> [/Length <KeyLength>]
                      [/KSP <KeyStorageProviderName>] [/Flags <KeyFlags>] [/StoreKeysInAD]
                      [/DoNotStoreKeysInAD] [/InitialRolloverOffset <Seconds>]
                      [/DNSKEYSignatureValidityPeriod <Seconds>] [/DSSignatureValidityPeriod <Seconds>]
                      [/StandardSignatureValidityPeriod <Seconds>] [/RolloverPeriod <Seconds>]
                        
  <KeyStorageProviderName> -- "Microsoft Software Key Storage Provider" or
                     other KSP installed on this system
  <KeyAlg>        -- the key algorithm mnemonic string. Currently only
                     "RSASHA1", "NSEC3RSASHA1", "RSASHA256", "RSASHA512",
                     "ECDSAP256SHA256" and "ECDSAP384SHA384" are supported.
  <KeyLength>     -- length of the key in bits. For RSA algorithms the value
                     can range from 1024 bits in 64 bit increments up to 4096
                     bits. Key size is ignored for other algorithms.
  <KeyFlags>      -- bits to be set to 1 in DNSKEY flags field. If 
                     is "KSK",  the Secure Entry Point bit will be set to 1
                     to indicate that this key is a Key Signing Key. If no
                     /Flags is given, the key is considered to be a Zone
                     Signing Key.
  /StoreKeysInAD  -- if specified, keys will be stored on the zone object in
                     Active Directory and will replicate to other DNS servers
  /DoNotStoreKeysInAD -- if specified, keys will be stored in a self-signed
                     certificate in the local machine certificate store and
                     will not replicate to other DNS servers

In future versions of Windows, Microsoft might remove dnscmd.exe

The dnscmd subcommand ZoneAddSKD creates a new DNSSEC key and assigns that key to a zone. Without a key assigned, dnscmd will refuse to sign the zone. Be careful not to assign more than the needed keys to a zone. Every call to ZoneAddSKD will add a new key to the zone. Usually we want to have one Key Signing Key (KSK), and one Zone Signing Key (ZSK):

creating the KSK

PS C:\Users\Administrator> dnscmd server1 /ZoneAddSkd dnscmd.example.com /Alg RSASHA256 /Length 2048 /Flags KSK

Command returned the following Signing Key Descriptor:

SKD GUID {EDADBF50-A733-4C67-A95E-8145C77BE0A1}
        key storage provider                = Microsoft Software Key Storage Provider
        store keys in AD                    = 0
        KSK flag                            = 1
        signing algorithm                   = RSASHA256
        key size                            = 2048
        initial rollover offset             = 0
        DNSKEY signature validity period    = 604800
        DS signature validity period        = 604800
        standard signature validity period  = 864000
        rollover period                     = 65232000
        next rollover action                = Normal

Command completed successfully

creating the ZSK
PS C:\Users\Administrator> dnscmd server1 /ZoneAddSkd dnscmd.example.com /Alg RSASHA256 /Length 1024

Command returned the following Signing Key Descriptor:

SKD GUID {47D410EE-35A4-483C-9B3B-1FB763F5AAB5}
        key storage provider                = Microsoft Software Key Storage Provider
        store keys in AD                    = 0
        KSK flag                            = 0
        signing algorithm                   = RSASHA256
        key size                            = 1024
        initial rollover offset             = 0
        DNSKEY signature validity period    = 604800
        DS signature validity period        = 604800
        standard signature validity period  = 864000
        rollover period                     = 7776000
        next rollover action                = Normal

Command completed successfully.

To be precise, the commands above do not directly create the keys, instead they create a "Signing Key Descriptor (SKD)", which is a kind of policy that describes how DNSSEC keys are generated for this zone. The Windows 2012 DNS server then creates new keys based on the descriptors whenever needed (for example during a key rollover).

Now we can use dnscmd subcommand "ZoneSign" to sign the zone. The parameters for "ZoneSign" are:

Usage: DnsCmd  /ZoneSign <ZoneName>
  Generates keys and adds DNSSEC records to the zone using the zone signing
  parameters and Signing Key Descriptors (SKDs) currently set on this zone.

In future versions of Windows, Microsoft might remove dnscmd.exe.

The only required parameter is the name of the zone to sign. This zone must already have DNSSEC keys attached:

PS C:\Users\Administrator> dnscmd server1 /ZoneSign dnscmd.example.com
Command completed successfully.

PowerShell

With PowerShell, we use the command Add-DnsServerSigningKey to create and add the DNSSEC Signing Key Descriptors to a DNS zone:

SYNTAX: Add-DnsServerSigningKey [-ZoneName] <string> 
             [[-Type] <string> {KeySigningKey | ZoneSigningKey}] 
             [[-CryptoAlgorithm] <string> {RsaSha1 | RsaSha256 | RsaSha512 | RsaSha1NSec3 | ECDsaP256Sha256 | ECDsaP384Sha384}] 
             [[-KeyLength] <uint32>] 
             [-ComputerName <string>] 
             [-InitialRolloverOffset <timespan>] 
             [-DnsKeySignatureValidityPeriod <timespan>] 
             [-DSSignatureValidityPeriod <timespan>] 
             [-ZoneSignatureValidityPeriod<timespan>] 
             [-RolloverPeriod <timespan>] 
             [-ActiveKey <string>] 
             [-StandbyKey <string>] 
             [-NextKey <string>] 
             [-KeyStorageProvider <string>] 
             [-StoreKeysInAD <bool>] 
             [-PassThru] 
             [-CimSession <CimSession[]>] 
             [-ThrottleLimit <int>] 
             [-AsJob] 
             [-WhatIf] 
             [-Confirm]  
             [<CommonParameters>]

Again, we creating one for the KSK, and one for the ZSK:


creating the KSK

PS C:\Users\Administrator> Add-DnsServerSigningKey powershell.example.com -Type KeySigningKey -CryptoAlgorithm RsaSha256 -KeyLength 2048 

creating the ZSK
PS C:\Users\Administrator> Add-DnsServerSigningKey powershell.example.com -Type ZoneSigningKey -CryptoAlgorithm RsaSha256 -KeyLength 1024

The last step is to sign the zone, where we use Invoke-DnsServerZoneSign.

SYNTAX: Invoke-DnsServerZoneSign [-ZoneName] <string>
                    [-SignWithDefault] 
                    [-DoResign] 
                    [-ComputerName <string>] 
                    [-Force] 
                    [-PassThru] 
                    [-CimSession <CimSession[]>] 
                    [-ThrottleLimit <int>] 
                    [-AsJob] 
                    [-WhatIf] 
                    [-Confirm]  
                    [<CommonParameters>]

PS C:\Users\Administrator> Invoke-DnsServerZoneSign powershell.example.com

Confirm
This will initiate online signing of the zone powershell.example.com on server SERVER1.
Do you want to continue?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

Happy automated zone signing!

Tuesday Sep 11, 2012

DNSSEC signing a zone with Windows Server 2012

Windows 2012 Server was released on 4th of September 2012. Time to have a closer look at the DNSSEC signing capabilities (information about DNSSEC validation on Windows 2012 can be found in the article "DNSSEC validation in Microsoft DNS Server 2012").

For the DNSSEC zone signing walk-through a newly installed Windows 2012 "Standard" Server was used. Only the DNS role was installed in addition to the default components, no Active Directory. This article will cover the creation of a static DNS zone for the Internet. I do not cover the creation of an internal dynamic zones that is updated from clients or DHCP Server.

[Read More]

Saturday Jun 23, 2012

DNSSEC validation in Microsoft DNS Server 2012

The DNS Server in Windows 2012 now supports all bits and pieces necessary to validate DNSSEC signatures and keys in the Internet (including SHA256 and NSEC3). Here is a small tutorial on how to import the trust anchor for the Internet root zone into the Windows 2012 DNS Server to enable DNSSEC validation.[Read More]

Saturday Jun 16, 2012

Supervising BIND 9

BIND 9 is a mature piece of software. Compared with its predecessors BIND 4 and BIND 8, it is more stable and has less security problems. One reason for this is the "Design by contract" programming style used by the BIND 9 team. BIND 9 is very paranoid about data it consumes, and about its internal data structures. Once BIND 9 finds an unexpected state in its internal data-structures, it terminates the DNS server process instead of continue to run with wrong data (and risking a security vulnerability).

While this behavior is good for security, it is very bad for service uptime. The DNS server process terminates, and with it the DNS service. Users (Customers) do not not so much care about security if they cannot reach Facebook. BIND 9 had several incidents in the past years where BIND 9 terminated because of issues inside the code or data-structures, like "BIND 9 Resolver crashes after logging an error in query.c".

BIND 10 is aiming to solve this, as project lead Shane Kerr writes in "Software Robustness and BIND 10". But until BIND 10 arrives, a work-around is needed for BIND 9.

The real issue for the DNS service is not BIND 9 terminating on bad data, but that BIND 9 cannot restart after the fact. There is no "supervisor" process in BIND 9.

Some operating systems have a build-in solution: MacOS X has launchd, and the BIND 9 version Apple delivers with the OS is automatically restarted should it terminate unexpected. Solaris has SMF (Service Management Facility), and BIND 9 can be integrated into SMF. Unbuntu Linux now has upstart, and Fedora systemd, which can also monitor processes and restart them if needed.

For Unix and Linux operating systems that do not ship with a process supervisor solution, supervisord is a nice and easy to setup solution. Supervisord comes as a package with many Linux distributions, and it also works on the BSD Unixes. The configuration below is for OpenBSD, but should require only minor tweaks to run on other Unix systems as well.

Installation

Supervisord is written in Python (2.4 - 2.7) and can be installed from source (where we have to download and install all dependencies) or with the help of setuptools, which takes care of downloading and installing all dependencies. Below I use setuptools:

bash# sh setuptools-0.6c11-py2.7.egg
bash# easy_install supervisor

A basic configuration file for BIND 9 "named"

Below is my basic /etc/supervisord.conf configuration file for one service, the BIND 9 DNS Server:

[unix_http_server]
file = /tmp/supervisor.sock
chmod = 0777
chown= nobody:nogroup

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]
serverurl=unix:///tmp/supervisor.sock

[supervisord]
logfile = /var/log/supervisord.log
logfile_maxbytes = 10MB
logfile_backups=10
loglevel = info
pidfile = /var/run/supervisord.pid
identifier = supervisor
directory = /tmp

[program:named]
command=/usr/sbin/named -f
process_name=%(program_name)s
numprocs=1
directory=/var/named
priority=100
autostart=true
autorestart=unexpected
startsecs=5
startretries=3
exitcodes=0,2
stopsignal=TERM
stopwaitsecs=10
redirect_stderr=false
stdout_logfile=/var/log/named_supervisord.log
stdout_logfile_maxbytes=1MB
stdout_logfile_backups=10
stdout_capture_maxbytes=1MB

starting "supervisord"

Once the configuration file is in place, we can start supervisord. Make sure that BIND 9 is not started, else you will end up with two instances of the BIND 9 server running, which is not a good idea. Also make sure that supervisord will be started on reboot of the server, either trough a startscript or other means. The Supervisord packages coming with Linux distributions install a startscript.

bash# supervisord
bash# tail /var/log/supervisord.log
2012-06-16 16:59:48,812 INFO Increased RLIMIT_NOFILE limit to 1024
2012-06-16 16:59:48,949 INFO RPC interface 'supervisor' initialized
2012-06-16 16:59:48,953 INFO RPC interface 'supervisor' initialized
2012-06-16 16:59:48,963 INFO daemonizing the supervisord process
2012-06-16 16:59:48,964 INFO set current directory: '/tmp'
2012-06-16 16:59:48,967 INFO supervisord started with pid 14724
2012-06-16 16:59:49,976 INFO spawned: 'named' with pid 16701
2012-06-16 16:59:55,020 INFO success: named entered RUNNING state, process has stayed up for > than 5 seconds (startsecs)

Great, supervisord has started, and it also started the BIND 9 process "named". DNS is working now.

simulating a BIND 9 crash

to simulate a BIND 9 crash, we "kill" the BIND 9 named process:

bash# ps aux | grep named
_syslogd 32633  0.0  0.1   512   648 ??  I     17Apr12    2:28.76 syslogd -a /var/named/dev/log -a /var/empty/dev/log
root     16701  0.0  0.8  5684  6500 ??  I      4:59PM    0:00.50 /usr/sbin/named -f
bash# bash-3.2# kill -9 16701
bash# tail supervisord.log 
2012-06-16 17:03:29,192 INFO exited: named (terminated by SIGKILL; not expected)
2012-06-16 17:03:30,201 INFO spawned: 'named' with pid 9832
bash#

Works as a expected. Supervisord has detected that the BIND 9 process has terminated, and has restarted a new one. DNS is still up and running.

Controlling supervisord

The supervisord can be controlled from the commandline using the supervisorctl command. A list of all a control commands can be found with "help", and a description of each command with "help command":

bash# supervisorctl help

default commands (type help ):
=====================================
add    clear  fg        open  quit    remove  restart   start   stop  update 
avail  exit   maintail  pid   reload  reread  shutdown  status  tail  version

bash# supervisorctl help status
status                  Get all process status info.
status            Get status on a single process by name.
status      Get status on multiple named processes.

bash# supervisorctl status
named                            RUNNING    pid 25770, uptime 0:00:12

bash# supervisorctl stop named
named: stopped

bash# supervisorctl start named
named: started

Now, whenever there is an assertion error in the code triggered, BIND 9 will terminate, but supervisord will bring it back from the dead. Your DNS service stays up, and the users and customers happy.

Read the supervisord documentation on how to setup event notifications, so that you get an E-Mail on the event that BIND 9 has been restarted. There might be a security vulnerability nontheless, which you would like to report to bind9-bugs@isc.org.

Of course supervisord can be used to restart other processes as well, including other types of DNS Servers (NSD, Unbound, dnsmasq ...).

Thursday Mar 01, 2012

Fixing BIND 9.9.0 compilation on OpenBSD

Compiling the new BIND Version 9.9.0 can lead to an compilation error on systems that do not have the ENOTSUP constant defined (such as OpenBSD).

stdio.c: In function `isc_stdio_sync':
stdio.c:117: error: `ENOTSUP' undeclared (first use in this function)
stdio.c:117: error: (Each undeclared identifier is reported only once
stdio.c:117: error: for each function it appears in.)
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib/isc/unix.
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib/isc (line 174 of Makefile).
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib (line 103 of Makefile).
*** Error code 1

Stop in /usr/src/bind-9.9.0 (line 107 of Makefile).

ISC has already applied a patch that will be out with the next version(s). For all that want to compile and run BIND 9.9.0 now, below is a patch that works for me:

*** /usr/src/bind-9.9.0/lib/isc/include/isc/stdio.h.orig        Wed Feb 29 21:04:43 2012
--- /usr/src/bind-9.9.0/lib/isc/include/isc/stdio.h     Wed Feb 29 21:05:34 2012
***************
*** 22,27 ****
--- 22,32 ----

  /*! \file isc/stdio.h */

+ /* OpenBSD doesn't have ENOTSUP, but does have EOPNOTSUPP */
+ #if defined (EOPNOTSUPP) && !defined (ENOTSUP)
+ #define ENOTSUP EOPNOTSUPP
+ #endif
+
  /*%
   * These functions are wrappers around the corresponding stdio functions.
   *

Wednesday Jan 11, 2012

Give nsupdate a history

the useful nsupdate tool (used to send dynamic updates towards an authoritative DNS server, part of the BIND nameserver distribution, www.isc.org) does not have a commandline history, nor automatic command completion.

Luckily, on Unix systems, this missing feature can be added to nsupdate using a small tool called rlwrap. rlwrap stands for 'readline wrapper'. Readline is an open source library that implements command history and tab completion, and it is used inside many well known command line tools. However it needs to be linked at compile time to be work on a program by default. If the developer does not link readline, the functions are not part of the program.

However it is possible to start a commandline tool such as nsupdate under the control of the readline wrapper. In this case, the readline wrapper will intercept when the command line tool tries to read data from the keyboard and will add the additional readline functions to the command line tool. rlwrap is part of most Unix/Linux distributions and can often be installed using the systems package manager.

In case of nsupdate, we can start nsupdate with

$ rlwrap nsupdate 

and voila, our old dog nsupdate has just learned some new tricks, it has now a command history that can be used with the cursor up and down keys (see the readline man page for a complete list of possible key bindings).

If rlwrap finds a file (named with the name of the commandline tool) containing keywords (space separated) in its search path for completion files (on my system that is /usr/share/rlwrap/completions), it will auto-complete the keywords found in the file when the user presses the tabulator key. Please find attached to this blogpost my completion file for nsupdate.

I don't not want to encourage the usage of nslookup (use dig or drill), but rewrap works also on the old steam engine called nslookup.

Please have a look at the rlwrap manual page. There are some more tricks to rlwrap that are not mentioned in this blog post.

Attachments

Friday Dec 23, 2011

BIND installer packages for MacOS X 10.4/10.5 PowerPC (ppc)

Apple does not provide update to older MacOS X versions (such as 10.4 "Tiger") anymore. However these machines are still good to run a caching or an authoritative DNS Server.

MacOS X comes with ISC BIND pre-installed, but without security updates, running an old version of BIND on MacOS X is a risk.

To find out the current version of BIND installed on a machine, open the Terminal.app and enter "named -v":

$ named -v
BIND 9.4.2-P2

Men & Mice is offering installation packages for MacOS X 10.4 containing the latest BIND versions. The installer packages can be downloaded for free from http://support.menandmice.com/download/bind/macosx/10.4-Tiger/.

If you are running a BIND DNS Server on MacOS X, please check the version you're running and upgrade if the version if outdated. The BIND security matrix lists all known security issues with BIND versions.

Sunday Jul 03, 2011

Compiler options for creating secure DNS Server binaries (on Linux)

DNS server, as these processes recieving data from untrusted sources in the network, are vulnerable for attacks that exploit security proplems in the DNS servers program code. Special crafted DNS packets can trigger a software bug in the DNS servers code and which will execute code contained in the received data, allowing the attacker to change the behavior of the DNS software or even break into the operating system running the server.

Modern Linux systems contain exploit mitigation techniques that make it harder for attackers to sucessfully launch such attack. However most of this functions are not enabled by default, but must be enabled during compile time. This is especially imnportant if the DNS server software is custom compiled and not taken from the Linux distribution vendor. But even the binaries supplied by a Linux distribution might not have all the exploit mitigation security functions enabled.

The folks at NESO Security Labs have published a script that can be used to test existing binaries for the enabled security functions (checksec.sh script).

The screenshot below shows a BIND nameserver binary (named) with only some of the security functions enabled, and an Unbound nameserver binary that has all of the functions enabled:

The functions in detail:

RELRO

RELRO rearranges the data sections inside an ELF (Linux executable file format) executable. It also marks certain areas as 'read-only' so that these data structures cannot be overwritten while the process is running.

Details about RELRO can be found in the blog post RELRO - A (not so well known) Memory Corruption Mitigation Technique.

There are two flavors of RELRO, 'partial' and 'full'. Only 'full RELRO' offers all security measures and is recommended.

Stack canary

A STACK CANARY is a special datastructure with a distinct bit-pattern that is placed in front of important data on the stack, for example in front of the return address of an subroutine call. A popular attack is to overwrite (using a buffer overflow or similar problems) the return address of a subroutine call, so that the execution process is redirected to execute program code injected by the attacker.

When using a stack canary, the operating system will check if the bit pattern placed in front of the stack datastructure is still intact (and not overwritten). Only if this is true, the jump through the return address will be taken. The named 'stack canary' comes from canary birds used in early mining operations, where the birds where used as in indicator that the air under ground is becoming foul. See GCC Stack-Smashing Protector (ProPolice) on how the canary is implemented in the GCC compiler suite.

NX bit

NX enabled refers to the NX (non-execute) or XD (execute disable) flags found in modern x86 CPUs (Intel and AMD). The NX flag are used to mark memory areas that only contain data (and no program code) as 'off-limit' for the CPUs instruction fetch. The data stored in this areas marked cannot be executed as a program by the CPU. Because this flag is implemented directly in the CPU, it has no overhead compared to exploit mitigation functions implemented in software. Some Linux systems running on hardware that does not support a 'no-execute' flag emulate this function in software.
See Wikipedia on NX bit.

PIE - Position independent code

PIE stands for 'Position Independent Executable' and describes a function where the operating system can load certain parts of the application at random positions inside the computers address space. In some attacks the attacker needs to know beforehand on which memory location a datastructure will be loaded (e.g. to jump into code that has been written using a buffer overflow). By having the operating system load the program code into different locations every time, the attacker cannot predict the memory location, which makes it harder to write a sucessful exploit.

Fortify source

In addition to the technologies above, the GCC C-Compiler can analyse the source code to be compiled and detect certain insecure sections (that might create a security problem). The compiler will replace the insecure function calls with special hardened code that will perform extra runtime checks while the process is executed. This is called FORTIFY SOURCE.

Compiler- and Linker-Flags

To enable these exploit mitigation functions in compiled binaries, special flags must be specified for the compiler (gcc) and linker.

  • RELRO: LDLFAGS="-z relro -z now"
  • STACK CANARY: CFLAGS="-fstack-protector" LDFLAGS="-fstack-protector"
  • PIE/PIC: CFLAGS="-fPIE -fPIC" LDFLAGS="-fPIC -pie"
  • NX: is enabled on the OS and BIOS level, but can be disabled in the ELF file. It should be enabled by default if not manually disabled for a binary.
  • FORTHFY-SOURCE: CFLAGS="-O2 -D_FORTIFY_SOURCE=2"

Examples

example linker flags (32bit/64bit):

LDFLAGS="$LDFLAGS -fPIC -pie -z relro -z now -fstack-protector"

example c-compiler flags (32bit):

CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector -fPIE -fPIC --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=i686 -fasynchronous-unwind-tables"

example c-compiler flags (64 bit):

CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector -fPIE -fPIC --param=ssp-buffer-size=4 -m64 -mtune=generic"

Of course the exploit mitigation techniques described here are also valid for all networked applicartions (such as SSH, webserver, NTP ...), not only for DNS server. But this is the DNS workshop ...

Resources:

Friday Aug 21, 2009

Slax Live Linux modules with BIND, Unbound and DNS Tools for DNSSEC Training

Getting a classroom full of computer ready for a DNSSEC training can be a challenge. Installing a DNSSEC capable DNS server, resolver and troubleshooting tools on each student computer can take some time. DNSSEC tools are not common in today's operating-systems.

At Men & Mice we use add-on modules for the SLAX Live Linux System (http://slax.org). The SLAX System can be started on almost any PC-like computer machine with 256MB RAM or more from a USB-Stick, CD-ROM or by PXE Network boot. Especially the PXE-Networkboot is a convenient way to boot SLAX from the trainers PC to all the machines in a classroom. The trainer can prepare training packages that will automatically appear after reboot on the students machines.

The current version of the SLAX DNSSEC Training modules contains BIND 9.6.1-P1 (package 010-bind.lzm) and Unbound 1.33, libDNS 1.6.1, Drill, DNSTOP, DOC and dnstracer (package 011-dnstools.lzm) ready to use.
The single packages can be downloaded from the Men & Mice Support Download Server.

The full SLAX 6.1.2 system including the DNS-Tools and BIND packages can be found at http://support.menandmice.com/download/training/usb/slax-dns-training-stick.tgz (217 MB).

To install SLAX from a Linux Machine, uncompress the tar-ball to an FAT formatted USB Drive and call the "boot/bootinst.sh" script. Installation from a Windows System is similar, just used the "boot/bootinst.bat" batch file.

While being created for DNSSEC and DNS Trainings, the SLAX system with the DNS Modules makes a quick-to-use troubleshooting system for both plain old DNS and DNSSEC that can be carried around.

Thursday Apr 23, 2009

BIND 10 development started

The Internet Systems Consortium announced today that development on the next generation of BIND DNS Server has started. The new development is sponsored by many TLD-Registries (Japan Registry Services Co., Ltd. (JPRS) and Canadian Internet Registration Authority (CIRA) as well as Afilias, AFNIC, DENIC, IIS.SE, Nominet, NIC.br, SIDN and .za Domain Name Authority) and will take some years to complete.[Read More]

Calendar

Feeds

Search

Links

Navigation