-
Notifications
You must be signed in to change notification settings - Fork 3
BIND Security
This document explains concepts of BIND9 DNS server security. It's necessary to understand this in order to be able to configure DNS php admin in secure way.
TSIG keys are symmetrical secrets that are used to verify authenticity - they are just like passwords. They must be protected in same fashion, never share TSIG key with anyone except for people who are supposed to authenticate with it.
BIND9 primary security is configured on level of whole server or optionally on level of individual views (if you configure some). There you can adjust who can access the server, who can send DNS queries (typically network list acl).
DNS php admin must be hosted on server that is in network which is allowed on BIND9.
Access to query records, perform zone transfer or modify records via nsupdate can be granted on zone level. Zone is a logical "segment" of a domain, typically a subdomain.
Imagine following scenario: You are owner of zone domain.org so you want to configure your server as authoritative primary DNS master for it. You can easily create just a zone "domain.org", then you can create a TSIG key and add it to ACL for nsupdate modifications. Now you can modify any record for this whole domain with this one TSIG key.
Now, let's imagine a little bit more complicated scenario: You want to define 2 subdomains
- devops.domain.org - subdomain for devops
- test.domain.org - subdomain for testers
You have 2 teams in your organization and you want each team to be able to modify only records in their dedicated subdomain. Now this is where zoning is useful. You just define 2 new zones for each domain. Each team will have their own TSIG key and each zone will have different TSIG key in configuration file. If you configure your BIND9 like this, you can easily define zones in DNS php admin with the TSIG keys, so that anyone with access to it can modify both zones. If you use LDAP to access it, you can also define 2 separate roles with custom access, for example your config.php would contain this code:
<?php
// other configuration options that were ommited
// ...
//
// each zone has permissions 'r' (read only) or 'rw' (read write)
$g_auth_roles = [ 'devops' => [
'devops.domain.org' => 'rw'
],
'readonly' => [
'devops.domain.org' => 'r',
'test.domain.org' => 'r'
],
'test' => [
'test.domain.org' => 'rw'
]
];
$g_auth_roles_map = [
///////// DEVOPS ///////////
"jon.smith" => [ 'devops', 'readonly' ],
///////// TESTERS ///////////
"mick.black" => [ 'test', 'readonly' ]
];
// load all usernames from roles_map to list of users allowed to login
$g_auth_allowed_users = array();
foreach ($g_auth_roles_map as $key => $value)
{
array_push($g_auth_allowed_users, $key);
}
Now, each user defined in $g_auth_roles_map will be allowed to login to DNS tool. Both users are members of role "readonly" which gives them read access to both zones, but they are only allowed to write into their own zone.
IMPORTANT if you need to split access between zones, each zone must have own TSIG key. If you use same TSIG key for all zones, you will create a security hole, which can be used to modify zone that user is not allowed to.