Site icon CentLinux

How to setup DNSSEC in Linux 7

Share on Social Media

Learn how to setup DNSSEC in Linux 7 with this comprehensive guide. Follow our detailed steps to enhance your DNS security and protect your domain from attacks. #centlinux #linux #dnsserver

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is a suite of extensions to DNS (Domain Name System) that adds a layer of security by enabling DNS responses to be verified. It helps protect against various attacks such as cache poisoning and man-in-the-middle attacks. Here are the key components and concepts of DNSSEC:

  1. Digital Signatures: DNSSEC uses public-key cryptography to digitally sign DNS data. This ensures that the data has not been tampered with and is authentic.
  2. DNSKEY Records: These records contain the public keys that resolvers use to verify the digital signatures.
  3. RRSIG Records: These are the digital signatures that are associated with DNS resource records. They confirm that the data originates from the authorized source.
  4. DS Records (Delegation Signer): These records are used to link a child zone to a parent zone. They contain the hash of a DNSKEY record from the child zone and are used to establish a chain of trust.
  5. Chain of Trust: DNSSEC establishes a chain of trust from the root zone down to the individual domain names. Each level of the DNS hierarchy is signed by the level above it, creating a secure path for verifying DNS data.
  6. NSEC and NSEC3 Records: These records provide authenticated denial of existence, proving that certain DNS names or types do not exist.

By implementing DNSSEC, you can significantly enhance the security of your DNS infrastructure, making it more resistant to attacks and ensuring the integrity and authenticity of DNS responses.

We have already configured a master and slave authoritative DNS servers using BIND DNS on CentOS 7. In this article, we will setup DNSSEC in Linux by using BIND DNS Server.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

Environment Specification

We are using the same CentOS 7 minimal installed virtual machines that we have configured in our previous article.

Primary (Master) DNS Server:

Secondary (Slave) DNS Server:

Install Haveged on CentOS 7

Connect with dns-01.example.com using ssh as root user.

The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.

We are installing haveged on our CentOS 7 Server to speedup the process of key generation during DNSSEC configuration.

Havaged is available in EPEL (Extra Packages for Enterprise Linux) yum repository. Therefore, we have to install EPEL before installing haveged package.

Install EPEL yum repository as follows.

# yum install -y epel-release

Build cache for EPEL yum repository.

# yum makecache fast

Now, we can install haveged from EPEL repository using yum command.

# yum install -y haveged

Enable and start haveged.service.

# systemctl enable --now haveged.service
Created symlink from /etc/systemd/system/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.

Configure DNSSEC on Master DNS Server

Edit BIND configuration file.

# vi /etc/named.conf

Find and set following directives therein.

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Create a Zone Signing Key (ZSK) using following commands.

# cd /var/named
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
Generating key pair...........................................................................+++ ...........................................................................................+++
Kexample.com.+007+28013

Create a Key Signing Key (KSK) using following commands.

# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
Generating key pair.......................................++ .................................................++
Kexample.com.+007+65445

Include the generated keys in our zone file.

# echo "$include Kexample.com.+007+28013.key" >> /var/named/example.com 
# echo "$include Kexample.com.+007+65445.key" >> /var/named/example.com

Sign the zone using dnssec-signzone command.

# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
example.com.signed
Signatures generated:                       21
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.039
Signatures per second:                 529.233
Runtime in seconds:                      0.046

Above command created a signed zone file for example.com zone.

We are now required to edit zone configuration to use example.com.signed file instead of example.com file.

# vi /etc/named.conf.local

Update the file directive as follows.

zone "example.com" {
   type master;
   file "/var/named/example.com.signed";
   allow-transfer {192.168.116.5;fd15:4ba5:5a2b:1008::2; };
   also-notify {192.168.116.5;fd15:4ba5:5a2b:1008::2; };

   # DNSSEC keys Location
   key-directory "/var/named/*.keys";

   # Publish and Activate DNSSEC keys
   auto-dnssec maintain;

   # Use Inline Signing
   inline-signing yes;
};

Restart named.service to load changes.

# systemctl reload named.service

Check DNSKEY record using dig command.

# dig DNSKEY example.com. +multiline

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> DNSKEY example.com. +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14498
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.           IN DNSKEY

;; ANSWER SECTION:
example.com.            3600 IN DNSKEY 256 3 7 (
                                AwEAAaGAIKYjx3rjdGVfTHShyBqZfYruv9XFdla4skgK
                                f1lLSSDJ+1MN90rc5EjobINEgXJp9g8t6j6W3H5osa50
                                CQCmwIxXVWcCKzdm5goJBy0L26FPzl9KNFAExdyVnlyN
                                CPXnBwTvxS2nS4iJM2zbTRynWxjcLebsOC+wAzkJmxcN
                                +DLgkTH/M1dPx1m8R78gOCsNxJfEKy+Zzyq5cZ0H6IJ/
                                EnC3IDWuULHwQ5knmVo9LcP/7FiaZKmmd+SBjJF7rfSm
                                xXmxEe//B5cIhedhMkkBcTCB1UPyhRnv8VX43tCfwxax
                                u8t7iC31QdaN2gfQ2xd2a7lK5I+ceCbPJ+etQ3U=
                                ) ; ZSK; alg = NSEC3RSASHA1; key id = 28013
example.com.            3600 IN DNSKEY 257 3 7 (
                                AwEAAfAS59V3GImmv9JpgmJxqDDCDxVmy/avEMViA8Zk
                                W6MtC+PbWfywMWu1m+aCbCqBqx6GtbjVwvLMi9ccVfGs
                                gJd0G5kXvdfSI3XvmbXsubby3ZF7Bz1abHVc/hoVeuQT
                                2p9q1UpjTy3jpgnxrouF7ROiFmyZEgKcNUzbmeJ12mIZ
                                5WMvd1TuOEguXHlv+H+wmGbqdfjsuqu/yJlqO8wT9eI5
                                JvuXL1SjXd3nDkcYwRNw352FsH9NxQ186BS6UwiUoVJN
                                lKB98pidjIRHZngaHNnqzRrGGT/5HJjroZtRjooKcGWI
                                mYdUhnTNIO3HXL6kS6yJzgAEoaKbnnuQQ4vME07/bJEN
                                9CYNqLGv2HsrHFyT1UQtZGlsyI+uyzOJOznQHBIKmVX8
                                uGD1a8twyYJy7U7xuiLgyAqLjNjTgDQiCwyW+0/TMys1
                                M6n/86S+xEzi0Z7HYbqMupfBJVB1xDiSh+vOjFetdWxB
                                pyEkPRDlg1F3QONifkTA1u6rybCHtaZXa9BAJAWJRYrM
                                tBN15tvc3UjSi0gNLEC73/cBYT39kca9ETni9rESQyXH
                                Nh3tFahJU7GK1Ym+0sCzvnPbIjl2axJFY53cYUdtErkR
                                PmNdno3x0IsVF+zDbcoGh4af5lNmNBZ12aZMEiKHY304
                                vPnlbXG+H1rvPdGP/54yVlG8GNxV
                                ) ; KSK; alg = NSEC3RSASHA1; key id = 65445

;; Query time: 0 msec
;; SERVER: 192.168.116.4#53(192.168.116.4)
;; WHEN: Sun Sep 01 22:11:18 PKT 2019
;; MSG SIZE  rcvd: 848

We have configured DNSSEC on our master DNS server.

Configure DNSSEC on Slave DNS Server

Connect with dns-02.example.com using ssh as root user.

Copy KSK and ZSK files from Master to Slave DNS Server.

# scp root@dns-01.example.com:/var/named/Kexample.com.* /var/named/

Include the KSK and ZSK keys in our zone file.

# echo "$include Kexample.com.+007+28013.key" >> /var/named/example.com 
# echo "$include Kexample.com.+007+65445.key" >> /var/named/example.com

Edit BIND configuration file.

# vi /etc/named.conf

and set following directives to enable DNSSEC.

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Edit zone configuration file.

# vi /etc/named.conf.local

and update file directive as follows.

zone "example.com" {
   type slave;
   masters { 192.168.116.4; };
   file "/var/named/example.com.signed";

   # DNSSEC keys Location
   key-directory "/var/named/*.keys";

   # Publish and Activate DNSSEC keys
   auto-dnssec maintain;

   # Use Inline Signing
   inline-signing yes;

};

Restart named.service to load changes.

# systemctl reload named.service

Check if example.com.signed zone has been transferred to slave DNS Server.

# ls /var/named
116.168.192.in-addr.arpa  example.com         named.empty      slaves
data                      example.com.signed  named.localhost
dynamic                   named.ca            named.loopback

If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.

Final Thoughts

Thank you for following this guide on how to set up DNSSEC in Linux 7. If you need further assistance or prefer a professional to handle the setup, I offer expert services on Fiverr. Visit my Fiverr profile to hire me for a secure and efficient DNSSEC configuration. Let me help you enhance your domain security with ease!

Exit mobile version