DNS & Mail in the DMZ

Jason HeissCollective Technologies

jheiss@ofb.net jheiss@colltech.com

Firewall Architectures

Screening Router Architecture

Screened Subnet Architecture

DNS(Domain Name Service)

Goals

• Separate internal and external DNS servers– Limit the information about your network that is

publicly available

– Protect the internal DNS server from attack

• Run as separate user– Successful attack on DNS server does not give root

• Run in chroot environment– Successful attack doesn’t expose entire server

Internal BIND Configuration

• named.confoptions {

forward only;forwarders { 1.2.3.4; 1.2.3.5;};

}zone “foo.net” {

type master;file “foo.net”;

}

• No root hints file• Zone files contain full info

DMZ BIND Configuration

• named.confacl slaves { 10.1.2.3; 192.168.1.1; };options {

version “”;directory “/”; # Really /var/namednamed-xfer “/bin/named.xfer”;allow-transfer { slaves; };

}zone “.” { type hint; file “root.hints”; };zone “foo.net” {type master; file “foo.net”; };

• Zone files contain only external hosts

Running BIND as Non-root User

• Very simple starting with BIND 8– “named –u bind –g bind”

• The only things the bind user should be able to write to are files for slave zones– By default, these are dumped into the main directory

(from named.conf) with somewhat random names– This directory, therefore, would need to be writeable by

bind– Best to specify specific filenames for each slave zone in

named.conf and make only those files writeable by bind

Running BIND in chroot

• Looks simple– “named –t /var/named”

• syslog– Can’t get at /var/run/log (or /dev/log or whatever)– “syslog –l /var/named/var/run/log”– holelogd from Obtuse System’s utils package

• ndc– named makes a UNIX socket for ndc to talk to– mkdir /var/named/var/run– ln –s /var/named/var/run/ndc /var/run/ndc

Running BIND in chroot, cont.

• Slaves– Zone transfers to slaves use named-xfer– Must reside in chroot directory– Probably will require some dynamic libraries

(or compile a static version of named-xfer)• /usr/libexec/ld-elf.so.1

• /usr/lib/libutil.so.3

• /usr/lib/libc.so.4

ndc

• ndc, for the most part, works fine (reload, stop, etc.) with all of this special configuration– Need symlink from the real /var/run/ndc to the

chroot /var/run/ndc if chroot’d

• ‘ndc start’ fires up named with no arguments– ‘ndc start –u bind –g bind –t /var/named’

Complications

• Subdomains– client.foo.net queries intradns.foo.net for

host.sub.foo.net– Intradns ignores delegation and forwards query

to bastion host– Bastion host is authoritative for (limited)

foo.net, doesn’t know about sub.foo.net, and thus returns NXDOMAIN

Complications, cont.

• Subdomains, cont.– If you are big enough to need subdomains, you

can probably afford a couple extra PCs to separate external DNS from forwarders

– See DNS & Bind (DNS and Internet Firewalls section) for extensive discussion of problems and solutions

Complications, cont.

• Double-reverse DNS lookups– Performed by many FTP sites

– Server looks up hostname associated with connecting IP

– Server then looks up IP associated with that hostname

– This IP must match original

– Requires unique A and PTR records for all public IPs

– Good case for proxies or NAT/PAT (masquerading)

Mail

Goals

• Separate internal and external mail servers– Protects internal mail server(s) from attack

– Provides choke point to apply filters• Masquerading

• Virus scanning

• Run as separate user• Run in chroot environment

– Sendmail does not have a built-in chroot feature

– Would be a good idea if your MTA supports it

Internal Sendmail Configuration

FEATURE(`local_procmail')dnl

FEATURE(`mailertable')dnl

MAILER(`local')dnl

MAILER(`smtp')dnl

define(`SMART_HOST', `bastion.foo.net')dnl

Internal Sendmail Config, cont.

• /etc/mail/mailertablefoo.net local:

.foo.net local:

• /etc/mail/relay-domainsfoo.net

DMZ Sendmail Configuration

MASQUERADE_AS(`foo.net')dnlFEATURE(`mailertable')dnlFEATURE(`access_db’)dnlMAILER(`smtp')dnldefine(`confRUN_AS_USER', `mail:mail')dnl

define(`confSMTP_LOGIN_MSG', `')dnldefine(`confPRIVACY_FLAGS', `goaway')dnl

DMZ Sendmail Config, cont.

• /etc/mail/mailertablefoo.net smtp:mailhub.foo.net

.foo.net smtp:mailhub.foo.net

• /etc/mail/accessConnect:mailhub.foo.net RELAY

To:foo.net RELAY

Running Sendmail as Non-root User

• Queue should be owned by mail user so that Sendmail can queue mail temporarily

• Otherwise user should have no privileges

References

• BIND– Grasshopper (Cricket) book (O’Reilly)

– Building Internet Firewalls (O’Reilly)

– Linux HOWTO

• Sendmail– www.sendmail.org (Configuration Information)

– www.sendmail.net (Good release notes)

– ofb.net/~jheiss/sendmail_proxy.html

– Bat book (O’Reilly)