Sandeep B. Posted June 3, 2023 Share Posted June 3, 2023 In this tutorial I’m going to instruct you how you can generate and enable DNSSEC security for DNS. This is most requested instruction by the visitors. DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack. First install haveged to generate keys : EL/centos/redhat yum install -y haveged systemctl enable haveged In below command examples replace “domain.tld” with your domain name Second Change the Directory to /var/named : cd /var/named/ Third generate ZSK Key : dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld Fourth generate KSK key dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld Fifth adding keys to domain zone file cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db Sixth sign the zone file : dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db Seventh only for el7/centos 7 edit named configuration file /etc/named.conf and add this line (don't add this line on el8/centos 8 stream/almalinux 8 and above as this will not work): dnssec-lookaside auto; ** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed : // zone domain.tld zone "domain.tld" {type master; file "/var/named/domain.tld.db";}; // zone_end domain.tld to // zone domain.tld zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";}; // zone_end domain.tld Centos/el/RHEL Reload/Restart the named service : service named reload or systemctl reload named and you’re done. Link to comment Share on other sites More sharing options...
Ling Posted September 13, 2023 Share Posted September 13, 2023 This does not work on Almalinux 8 anymore as bind cannot be restarted after the modification. Also dnssec-lookaside auto; is obsolete nowadays and leads to a syntax error. Is there any solution for CWP as of today? We are getting a lot of DNS attacks here and DNSSEC would really help a lot. We have the PRO version so this request is rather basic and trivial. Link to comment Share on other sites More sharing options...
Ling Posted September 14, 2023 Share Posted September 14, 2023 On 9/13/2023 at 3:51 PM, Ling said: This does not work on Almalinux 8 anymore as bind cannot be restarted after the modification. Also dnssec-lookaside auto; is obsolete nowadays and leads to a syntax error. Is there any solution for CWP as of today? We are getting a lot of DNS attacks here and DNSSEC would really help a lot. We have the PRO version so this request is rather basic and trivial. Now I can confirm that your recipe still works after removing the line dnssec-lookaside auto; from it, as it is not supported any longer. The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now. Link to comment Share on other sites More sharing options...
Ling Posted September 14, 2023 Share Posted September 14, 2023 Now I can confirm that your recipe still works after removing the line dnssec-lookaside auto; from it, as it is not supported any longer. The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now. Link to comment Share on other sites More sharing options...
Sandeep B. Posted September 15, 2023 Author Share Posted September 15, 2023 15 hours ago, Ling said: Now I can confirm that your recipe still works after removing the line dnssec-lookaside auto; from it, as it is not supported any longer. The main problem was that this recipe only can be applied one single time. After rollback to virgin I tried it again without above line and bind can be started now. great thanks for the information topic updated Link to comment Share on other sites More sharing options...
Ling Posted September 15, 2023 Share Posted September 15, 2023 Thanks for updating the recipe. You also should make clear that repeated use of this procedure will most likely lead to errors in the bind file and prevent bind from restart. Even the syntax checker can not find those errors. So this only works with a virgin config not using dnssec yet. Best practice is to make a backup of all config files and roll back from there, if bind refuses to restart due to a typo in the domain name or something like that. Or you write a script which does all this. DNSSEC and mod_evasive helped significantly to reduce overload attacks on our server and is definitely a must for CWP, so you should move this thread over there. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now