CNIT 40 Proj 7x: Making a Validating Resolver with Bind on Linux (10 pts.)

What You Need for This Project

A Kali Linux virtual machine running Bind, which you prepared in a previous project. Other Linux versions should work too.

Purpose

Configure a Bind DNS resolver that validates the data it gets with DNSSEC.

Testing your Kali Linux DNS Server

Start your Kali Linux machine.

In a Terminal window, execute this command:

ping google.com

You should see replies, as shown below. If you don't see replies, you need to troubleshoot your networking.

Press Ctrl+C to stop the pings.

In a Terminal window, execute this command:

netstat -an | grep 53

You should see tcp and udp ports LISTENING, as shown below.

If you don't see the listening ports, you need to restart or reinstall Bind.

In a Terminal window, execute this command:

dig @127.0.0.1 yahoo.com

You should see an ANSWER SECTION containing some IP addresses, as shown below.

If you don't see the answers, you need to restart or reinstall Bind.

This shows that your server is now operating as a recursive server.

Configuring a Trust Anchor

Your server needs to trust someone. In DNSSEC, we trust the root.

The first step in this process is to get the root server's DNSKEY record.

In a Terminal window, execute this command:

dig . dnskey

Two DNSKEY records appear, as shown below:

Highlight the entire record marked 257, as shown above, right-click the highlighted section, and click Copy.

In a Terminal window, execute this command:

nano /root/key

In nano, right-cick in the empty space and click Paste. The whole record appears, as shown below:

Save the file with Ctrl+X, Y, Enter.

Now you need to hash the key definition to a NS record.

In a Terminal window, execute this command:

/usr/sbin/dnssec-dsfromkey -2 -f /root/key .

Next you must add the key to a managed-keys section.

In a Terminal window, execute this command:

nano /etc/bind/named.conf

Add this to the bottom of the file. Be careful with the long key--it all needs to go on one line. Don't insert any carriage returns in it.

managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };

Save the file with Ctrl+X, Y, Enter.

Finally, you need to enable DNSSEC and DNSSEC Validation.

In a Terminal window, execute this command:

nano /etc/bind/named.conf.options

Near the top of the file, in the options section, make sure these two lines appear as shown below:

dnssec-enable yes; dnssec-validation yes;

Save the file with Ctrl+X, Y, Enter.

Restart Bind

In a Terminal window, execute this command:

service bind9 restart

Troubleshooting
If Bind fails to start, execute this command to see useful error messages:
tail /var/log/syslog

Performing an Authenticated Resolution

In a Terminal window, execute this command:

dig @127.0.0.1 ietf.org +dnssec

The reply should show the ad flag, showing that this reply contains Authenticated Data, as shown below:

Saving a Screen Image

Make sure you can see thes items:

A dig command using your own server @127.0.0.1
An answer section showing the ad flag

Save a whole-desktop image with the filename "YOUR NAME Proj 7x", replacing "YOUR NAME" with your real name.

YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT!

Turning In Your Project

Email the images to me as an attachments to an e-mail message. Send it to: cnit.40@gmail.com with a subject line of "Proj 7x From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

References

OARC's Open DNSSEC Validating Resolver

HOWTO turn BIND into a Validating Resolver

12-5-18