DNS Root Zone KSK2017 Rollover | CentOS 7 | Bind

 

Just like changing password, ICANN has decided to rollover DNS root zone KSK2010 to KSK2017.  Root zone Key Signing Key (KSK) is the top cryptographic key on DNSSEC mechanism.

 

Affected  Systems

You need to bother about it if

✔ You are running recursive/caching only DNS sever

✔ Your DNS server is doing DNSSEC validation

How to be sure your DNS server is validating DNSSEC ? Run below command  from your DNS server cmd

#dig @localhost dnssec-failed.org a +dnssec | grep HEADER
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28119

If status = SERVFAIL ; DNSSEC is enabled

If status = NOERROR ; DNSSEC is disabled

Okay. I need to bother. What’s now ?

 

Solution Steps

The easiest way to make your server prepare for KSK-2017 is by making the server compatible with “Automated Updates of DNS Security (DNSSEC) Trust Anchors” (RFC 5011) and let automated update rollout. Following  steps are the  Redhat family specific

1. Make sure that you are having latest bind packages installed or at least 9.9

# yum install bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.dhakacom.com
* epel: ftp.cuhk.edu.hk
* extras: mirror.dhakacom.com
* updates: mirror.dhakacom.com
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.   On option  /etc/named.conf  dnssec-validation auto;  is configured. You need to restart named service if you are making any change.

That’s it !

 

Validation

Your managed key have KSK2017 ( Key tag 20326).

# cat /etc/named.root.key 
managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        #
        # This key (19036) is to be phased out starting in 2017. It will
        # remain in the root zone for some time after its successor key
        # has been added. It will remain this file until it is removed from
        # the root zone.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

        # This key (20326) is to be published in the root zone in 2017.
        # Servers which were already using the old key should roll to the
        # new # one seamlessly.  Servers being set up for the first time
        # can use either of the keys in this file to verify the root keys
        # for the first time; thereafter the keys in the zone will be
        # trusted and maintained automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
};
#  cat /var/named/dynamic/managed-keys.bind
$ORIGIN .
$TTL 0  ; 0 seconds
@                       IN SOA  . . (
                                244        ; serial
                                0          ; refresh (0 seconds)
                                0          ; retry (0 seconds)
                                0          ; expire (0 seconds)
                                0          ; minimum (0 seconds)
                                )
                        KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 (
                                AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                                bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                                /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                                JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                                oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                                LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                                Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                                LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                                ) ; KSK; alg = RSASHA256; key id = 19036
                        KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 (
                                AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
                                iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
                                7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
                                LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
                                efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
                                pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
                                A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
                                9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
                                ) ; KSK; alg = RSASHA256; key id = 20326

 

Reference:

  • https://www.youtube.com/watch?v=d7H1AkC9PIw
  • https://kb.isc.org/article/AA-01529/169/KSK-2010-Rollover.html
  • https://www.icann.org/dns-resolvers-updating-latest-trust-anchor
  • https://www.rfc-editor.org/rfc/rfc8145.txt

IPv6 Reverse DNS Delegation Zone (BIND)

/etc/named.conf options

options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; 2000:5a40:0:1::136; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 2000:5a40::/32; };
allow-query-cache { localhost; 2000:5a40::/32; };
recursion yes;

Zone file announcment

zone "0.4.a.5.0.0.0.2.ip6.arpa" IN {
type master;
file "reverse-2000:5A40";
allow-update { none; };
allow-query { any; };
};

Zone file

$TTL 1h ; Default TTL
@ IN SOA ns1.jalam.me. jasim.alam.jalam.me. (
2018062401 ; serial
1h ; slave refresh interval
15m ; slave retry interval
1w ; slave copy expire time
1h ; NXDOMAIN cache time
)
; domain name servers
@ IN NS ns1.jalam.me.

; IPv6 PTR entries
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.a.5.0.0.0.2.ip6.arpa. IN PTR host1.jalam.me.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.a.5.0.0.0.2.ip6.arpa. IN PTR host2.jalam.me.

 

Dont forget to restart bind service

# systemctl restart named

Verify

#named-checkconf /etc/named.conf 
# named-checkzone 0.4.a.5.0.0.0.2.ip6.arpa  /var/named/reverse-2000\:5A40 
zone 0.4.a.5.0.0.0.2.ip6.arpa/IN: loaded serial 2018062401 OK

https://network-tools.webwiz.net/reverse-dns.htm

Some useful tool:

  • http://www.zytrax.com/books/dns/ch3/#ipv6-tool-rev
  • http://rdns6.com/zone

 

Regenerating Link Local IPv6 Addresses in Mikrotik

IPv6 link local address generate automatically if IPv6 package is enabled.  For enabling IPv6 you may follow this post

[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
# ADDRESS FROM-POOL INTERFACE 
0 DL fe80::e97:42ff:fef5:7a00/64 ether1 
1 DL fe80::e97:42ff:fef5:7a03/64 ether4 
2 DL fe80::e97:42ff:fef5:7a01/64 ether2 
3 DL fe80::e97:42ff:fef5:7a02/64 ether3 
4 DL fe80::dcac:40ff:feed:b345/64 loopback-1

Unlike IPv4, IPv6 link local address are crucial for routing. So if the address is removed mistakenly it will make routing problem.

[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
# ADDRESS FROM-POOL INTERFACE 
0 DL fe80::e97:42ff:fef5:7a03/64 ether4 
1 DL fe80::e97:42ff:fef5:7a01/64 ether2 
2 DL fe80::e97:42ff:fef5:7a02/64 ether3 
3 DL fe80::dcac:40ff:feed:b345/64 loopback-1 
4 G 2000:5a40:0:11::2/126 ether1

As you can see, though static IPv6 is configured on the interface , still the address is showing unreachable

How to regenerate link local IPv6 address on Mikrotik when deleted ?

The solution is quiet simple, simply  reset (disable and re-enable) the interface. This applicable for all type of interface Ethernet/VLAN/bridge. For minimum impact on live traffic you may try following method

/interface ethernet disable 0; enable 0

Result,

[admin@Mikrotik] /interface ethernet> /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
# ADDRESS FROM-POOL INTERFACE ADVERT
0 DL fe80::e97:42ff:fef5:7a03/64 ether4 no 
1 DL fe80::e97:42ff:fef5:7a01/64 ether2 no 
2 DL fe80::e97:42ff:fef5:7a02/64 ether3 no 
3 DL fe80::dcac:40ff:feed:b345/64 lo-1 no 
4 G 2000:5a40:0:11::2/126 ether1 no 
5 DL fe80::e97:42ff:fef5:7a00/64 ether1 no 

 

DHCPv6: CentOS 7 Server & Mikrotik Client

IPv6 DHCP configuration with CentOS 7 as DHCP server and Mikrotik as DHCPv6 client.

Note: Assumed you already have configured an IPv6 from subnet  on server interface. You may follow this guide.

Subnet:  2000:5a40:0:12::/64

Gateway IP: 2000:5a40:0:12::1/64

Subnet Range: 2000:5a40:0:12::100-200

 

  1. Verify that, DHCP package is installed
# yum list installed | grep dhcp

dhcp.x86_64 12:4.2.5-68.el7.centos.1 @updates
dhcp-common.x86_64 12:4.2.5-68.el7.centos.1 @updates
dhcp-libs.x86_64 12:4.2.5-68.el7.centos.1 @updates

If not installed, you may install via yum

# yum install -y dhcp

 

2. Edit configuration file and restart service

# vi /etc/dhcp/dhcpd6.conf

default-lease-time 3600; # 1 hour
max-lease-time 86400; # 1 day
authoritative;
allow leasequery;
dhcpv6-lease-file-name “/var/lib/dhcpd/dhcpd6.leases”;


subnet6 2000:5a40:0:12::/64 {
#any of following range declaration format is supported
#range6 2000:5a40:0:12::100 2000:5a40:0:12::200;
range6 2000:5a40:0:12::100/120;
option dhcp6.name-servers 2001:4860:4860::8888;
option dhcp6.domain-search "jalam.me";
}

# systemctl start dhcpd6

# systemctl enable dhcpd6

 

3. Mikrotik client configuration

IPv6 is disabled on Mikrotik by default.

Mikrotik Default Package Status

If disable enable the package and reboot the router

configuration on Mikrotik

[admin@Mikrotik] > /ipv6 dhcp-client add interface=ether2 request=address

 

4. verification

on Mikrotik

[admin@Mikrotik] > /ipv6 dhcp-client print 

Flags: D - dynamic, X - disabled, I - invalid 
# INTERFACE   STATUS   REQUEST   PREFIX  ADDRESS 
0 ether2      bound    address           2000:5a40:0:12::1d6, 51m45s 


[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
# ADDRESS                        FROM-POOL INTERFACE ADVERTISE
0 DL fe80::e97:42ff:fef5:7a00/64             ether1     no 
1 DL fe80::e97:42ff:fef5:7a02/64             ether3     no 
2 DL fe80::e97:42ff:fef5:7a03/64             ether4     no 
3 DL fe80::e97:42ff:fef5:7a01/64             ether2     no 
4 DG 2401:5a40:0:12::1d6/64                  ether2     no 


[admin@Mikrotik] > ping 2401:5a40:0:12::1 count=1 

SEQ  HOST               SIZE   TTL   TIME   STATUS 
0    2401:5a40:0:12::1   56    64    3ms    echo reply 

sent=1 received=1 packet-loss=0% min-rtt=3ms avg-rtt=3ms max-rtt=3ms 

on server

# cat /var/lib/dhcpd/dhcpd6.leases


# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.5

server-duid "\000\001\000\001\"\265\204\217\000\014)\\f\025";

ia-na "\002\000\000\000\000\003\000\001\014\227B\365z\000" {
cltt 5 2018/06/15 10:42:22;
iaaddr 2000:5a40:0:12::1d6 {
binding state active;
preferred-life 2250;
max-life 3600;
ends 5 2018/06/15 11:42:22;
}
}

 

References:

  • https://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html
  • https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client

 

Static IPv6 Configuration on CentOS 7

  1. Enabling IPv6

IPv6 enabled on CentOS 7 by default. You can verify status

# cat /proc/net/if_inet6 

00000000000000000000000000000001 01 80 10 80 lo 24015a40000000120000000000000100 02 40 00 80 ens33 fe80000000000000020c29fffe5c6601 03 40 20 80 ens38 fe80000000000000020c29fffe5c66f7 02 40 20 80 ens33

If /proc/net/if_inet6 doesn’t exist try to load the kernel module

# modprobe ipv6
# lsmod | grep ipv6

or add grub entry (reboot required)

# echo 'GRUB_CMDLINE_LINUX="ipv6.disable=0"' /etc/default/grub
# grub2-mkconfig -o /boot/grub2/grub.cfg
# shutdown -r now

also make sure ipv6 isn’t disabled manually in kernel

# sysctl net.ipv6.conf.all.disable_ipv6 = 0
# sysctl net.ipv6.conf.default.disable_ipv6 = 0
# sysctl -p

 

2. Configuring static IPv6. 
# vi /etc/sysconfig/network-scripts/ifcfg-ens33

#append below lines
NM_CONTROLLED=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6ADDR="2000:5a40:0:12::100/64"
IPV6_DEFAULTGW=2000:5a40:0:12::1

# systemctl disable NetworkManager
# systemctl stop NetworkManager
# systemctl enable network
# systemctl start network
3. Verification
# ip a s | grep inet6

inet6 ::1/128 scope host 
inet6 2000:5a40:0:12::100/64 scope global 
inet6 fe80::20c:29ff:fe5c:66f7/64 scope link 
inet6 fe80::20c:29ff:fe5c:6601/64 scope link

#ip -6 add show | grep inet6

inet6 ::1/128 scope host 
inet6 2000:5a40:0:12::100/64 scope global 
inet6 fe80::20c:29ff:fe5c:66f7/64 scope link 
inet6 fe80::20c:29ff:fe5c:6601/64 scope link

#ip -6 route show

unreachable ::/96 dev lo metric 1024 error -113 
2000:5a40:0:12::/64 dev ens33 proto kernel metric 256 
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 
fe80::/64 dev ens33 proto kernel metric 256 
fe80::/64 dev ens38 proto kernel metric 256
default via 2000:5a40:0:12::1 dev eth1 metric 1 pref medium

# ping6 2000:5a40:0:12::1 -c 1

PING 2000:5a40:0:12::1(2000:5a40:0:12::1) 56 data bytes
64 bytes from 2000:5a40:0:12::1: icmp_seq=1 ttl=64 time=2.03 ms

--- 2000:5a40:0:12::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.032/2.032/2.032/0.000 ms

 

Secure Zimbra Server from Memcached Attack

Memcached vulnerability made big fuss this year. Zimbra  use Memcached for distributed memory caching on proxy environment. Out of the box  Zimbra act as open Memcached proxy by listening  and responding to all requests.

Checking Vulnerability

To check whether your server is vulnerable .

Telnet from outside network. If following respond blank screen than its vulnerable

 telnet <IP of zimbra server> 11211

or run Nmap from outside network

nmap <IP of zimbra server> -p 11211 --script memcached-info

Sample Nmap result of vulnerable server

Memcached vulnerable server

Mitigation

Any one of following method can be used

  1. If the server behind a firewall drop all incoming/outgoing connection on TCP/UDP  port 11211 from untrusted to DMZ zone.
  2. If  the server isn’t under firewall, you are running netfilter you can use following iptables rule.
iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT 
iptables -I INPUT -p tcp -s 127.0.0.1 --dport 11211 -j ACCEPT 
iptables -I INPUT -p udp --dport 11211 -j DROP 
iptables -I INPUT -p tcp --dport 11211 -j DROP
service iptables save

3. If you don’t want you use none of above, you can just make Zimbra Memcached service listen to localhost only

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1
zmmemcachedctl restart

Before status

Before status

After status

After status

 

Verification

Run the same Nmap script again. It should look like this

nmap verification

 

References :

  1. https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack
  2. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/