《(精品)1-6 DNS安全.ppt》由会员分享,可在线阅读,更多相关《(精品)1-6 DNS安全.ppt(12页珍藏版)》请在得力文库 - 分享文档赚钱的网站上搜索。
1、 2007 Infoblox Inc.All Rights Reserved.第六节第六节:DNS 安全安全DNS最典型的安全威胁是什么?如何应对这些威胁?DNS Security-2 2007 Infoblox Inc.All Rights Reserved.DNS 不是为充满敌意的环境设计的不是为充满敌意的环境设计的DNSServer投毒更新洪水攻击窥探DNS Security-3 2007 Infoblox Inc.All Rights Reserved.问题问题解决办法解决办法区域泄露限制传送;不同的视图缓存投毒限制递归查询拒绝服务攻击采用外部防御系统如入侵防御系统IPS(Intrus
2、ion Prevention Systems);内部限制查询的速率未经授权的区域传送和更新TSIG(Trusted Signature)对更新采取认证和授权TSIG,DNSSEC一些安全隐患以及解决办法一些安全隐患以及解决办法此讲不会设计DNSSEC细节DNS Security-4 2007 Infoblox Inc.All Rights Reserved.DNS and BIND Have Mechanisms to Keep DNS Data PrivateAXFR zone data for Master“”Heres Slave“”zone“”type master;file“”;al
3、low-transfer 192.35.195.23;192.253.253.25;Tell your masters who the slaves areTell the slaves to transfer to no onezone“”type slave;masters 192.253.253.10;file“”;allow-transfer none;192.253.253.10192.253.253.25DNS Security-5 2007 Infoblox Inc.All Rights Reserved.BIND 系统允许呈现不同的视角系统允许呈现不同的视角视角是基于来源IP的
4、:这对于设置服务器对服务器的查询限制很方便外部视角Internet 客户公司客户内部视角DNS Server注意 的地址是 10.0.10.20注意不存在也称为DNS分割DNS Security-7 2007 Infoblox Inc.All Rights Reserved.the evil empire额外的数据如果错误会毒害缓存信息额外的数据如果错误会毒害缓存信息Name serverAuthoritative forAuthoritative for“”?cachegee,thanks!;ANSWER SECTION:.172800 IN A 129.33.47.12;ADDITIONA
5、L SECTION:a.root-.172800 IN A 192.253.253.10b.root-.172800 IN A 192.35.195.10投毒信息投毒信息!DNS Security-8 2007 Infoblox Inc.All Rights Reserved.如果猜中了如果猜中了ID,伪造的记录会被记录,伪造的记录会被记录Name serverHeader(ID=a1)AnswerAuthorityAdditionalQuestion?Header(ID=b1)AnswerAuthorityAdditionalQuestion?Header(ID=c1)AnswerAutho
6、rityAdditionalQuestion?Header(ID=c1)Answer is AuthorityAdditionalQuestionthe evil empiregee,thanks!Header(ID=b1)Bogus AnswerAuthorityAdditionalQuestioncacheHeader(ID=b3)Bogus AnswerAuthorityAdditionalQuestionHeader(ID=b2)Bogus AnswerAuthorityAdditionalQuestionDNS Security-9 2007 Infoblox Inc.All Rig
7、hts Reserved.域名服务器可以有两个主要功能域名服务器可以有两个主要功能委派域名服务器委派域名服务器拥有区域的权威记录通常因为被记录在NS记录里而被外部服务器所知接受外部服务器的逐级查询请求,并提供权威应答给其他域名服务器解析域名服务器解析域名服务器接受客户端的递归查询请求这使其很脆弱,特别是容易受到缓存投毒的攻击沿着树状结构进行反复查询以获得答案缓存结果DNS Security-10 2007 Infoblox Inc.All Rights Reserved.通过分级使用解析服务器和委派服务器缓解攻击通过分级使用解析服务器和委派服务器缓解攻击Delegated for“”Deleg
8、ated for“”ResolvingName servers对 逐级查询对逐级查询InternetIntranetCorporate clients解析服解析服务器器内部客户端的默认服务器对逐级查询对internet zones逐级查询阻止外部查询,并隐藏服务器XFRXFRXFRNo unrestricted transferNo recursionDNS Security-11 2007 Infoblox Inc.All Rights Reserved.BIND Lets You Create One Or the Other,or Run Both In One SystemDelega
9、tedOnly?ResolvingOnly?BothyesyesnonoDisable recursionDefine slavesDefine legal client IPs for recursionDefine clients for recursionDefine slavesThere are many options,depending on your requirements and version of BINDDNS Security-12 2007 Infoblox Inc.All Rights Reserved.DNS Supports Dynamic Addition and Deletion of Data to ZonesMore on this later in the DHCP section of this courseAuthoritative for“”DHCP serverIP zonedataDNS UPDATE.IN A 192.253.253.4747.253.253.192.in-addr.arpa IN PTR .TSIG