DNS Security Training

Duration: 2 days.

La formation est aussi disponible en français.

Other courses: Basic DNS, Advanced DNS, DNS and IPv6, DNS and Telephony (VoIP), DNS on Windows Servers, LDAP Courses, Telecommunications/SS7 courses.

The primary focus of the course is BIND which is available on Linux, UNIX and Windows platforms. The course is offered with Linux (Fedora Core), FreeBSD or Windows 2003 as the platform for all excercises.

Summary

Reliable, robust and secure operation of the DNS hierarchy - from the root servers to an individual domain name server - is critical to all Internet operations. The course concentrates on the use of DNSSEC for the control of Zone Transfers, DDNS and zone Integrity and especially the automation of key-rollver using established tools. While the primary focus of the course is BIND other DNS software will be discussed.

Description

Students will review the theory behind the DNS hierarchy, the DNS protocol, forward and reverse mapping zone files. DNS (DNSSEC) security is based on modern cryptographic techniques and processes. The student will learn the underlying principles without requiring mathematical knowledge. Specific implementation of shared-secret (symmetric) and public-key (asymmetric) implementations will be detailed covering Zone Transfer, Dynamic DNS (DDNS) and Zone Integrity. Secure DDNS integration with DHCP is covered and procedurea nd requirements for key management and key-rollover are illustrated. The course includes a number of hands on configuration exercises.

Audience:

The course is designed for DNS administrators, Network and System Administrators, Security specialists and those who need a thorough understanding of DNS security. Students should have taken the Basic DNS Course or have over 2 years exposure to DNS operations.

About the Instructor

Ron Aitchison is the author of Pro DNS and BIND (Apress ISBN 1-59059-494-0) which was the first book to cover the new DNS security protocols (DNSSEC). Ron has been involved in communications and networking for more years than he cares to admit and is president and founder of Zytrax, Inc. a company specializing in IP communications (wired and wireless), systems development and consulting in Montreal, Canada. He has been involved with Open Source systems for over 10 years.

Outline:

Module 1: DNS Refresher

• The DNS hierarchy (name servers and resolvers)
• Authoritative and cached responses
• Delegation - Parent and child domains
• Forward and Reverse mapping
• DNS types
• DIG
• DNS software - options and overview

Module 2: DNS Security Basics

• Security overview
• Security threat analysis
• DNS security scope (Zone transfer, DDNS, zone integrity)
• Stealth configuration
• BIND's view clause
• Administrative security (jails, permissions, server configurations)
• BIND Logs
• BIND's server clause

Module 3: Cryptographic Introduction

• DNS usage of modern cryptography
• Symmetric cryptography
• Asymmetric cryptography
• Message digests
• Message authentication codes (MAC)
• Digital signatures
• Key Management
• The KEY RR
• BIND's key generation tools

Module 4: Securing Zone Transfers

• Methods - allow-transfer, TSIG, SIG(0) and TKEY
• The TSIG (symmetric cryptography) process
• Exercise
• The OPT meta (or pseudo) RR

Module 5: Securing DDNS

• Methods - allow-update, update-policy, TSIG and SIG(0)
• The SIG(0) (asymmetric cryptography) process
• Exercise
• The SIG RR

Module 6: Zone Integrity

• The DNS security environment
• Security-aware and security oblivious
• Securing zones - zone signing
• Chains of trust and islands
• Key rollover and maintenance
• Current implementation status
• Alternate chains of trust - DLV

Module 7: Zone signing

• Zone and key signing keys
• The DNSKEY, NSEC, NSEC3, RRSIG and DS RRs
• The dnssec-signzone utility
• Exercise

Module 6: Keyrollover and Maintenance

• Double signing
• Pre-publish
• Exercise
• Tools and utilities

Module 9: Summary

• DNS and AD (Windows)
• Security best practices
• DNS resources
• DNS software

Other courses: Basic DNS, Advanced DNS, DNS and IPv6, DNS and Telephony (VoIP).