Solved

DNSSEC and Unix clients

Posted on 2014-09-04
11
311 Views
Last Modified: 2014-09-15
A company  has requested that DNSSEC be implemented in the environment.  The environment is a Windows 2008 R2 Active Directory with the DC's running DNS.  Setting up DNSSEC in DNS is relatively straightforward.  Most likely the company will also want to use IPSec with DNSSEC.   However, most of the client computers are Linux servers, so group policies are of no value here.

Would the Linux client be able to use DNSSEC?  If this is supported what are the commands on the Linux side to enable DNSSEC with IPSec?  How is this verified on the client?

I don't know if this matters but there are A records in DNS for all the Linux servers.
0
Comment
Question by:BigmacMc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40305733
BIND v9 implemented DNSSEC in year 2000, and support is still there.

It has nothing to do if you use IPSEC or SSL or DSL or WPA2 or none, those are just communication channels

DNSSEC validation should be enabled in DNS servers(read first line), clients are deaf and blind unless you use special DNS parsing libraries.
Part of named.conf (taken from CentOS 6)
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
that enables DNSSEC validation on BIND name server by default.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40305794
If the linux box is a DNS client, then it doesn't need BIND (a DNS server).

It needs its servers specified in /etc/resolv.conf to return DNSSEC answers and it needs to not block those answers from TCP port 53.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40305861
Most network impact is not "port" number, but various firealls blocking large DNS packets (4K) used by DNSSEC
0
How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40305870
And that's why I explicitly stated that traffic from TCP 53 needed to be allowed back in.

It's not just a DNSSEC thing.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40305906
e.g cisco inspect will drop 4K response packet that adds 5s wait to retry with 512 byte EDNS0 request
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40306018
i haven't configured a cisco firewall with 512 in  years.  that may be the default configuration but i've always changed it to 4096.
0
 

Author Comment

by:BigmacMc
ID: 40308654
Thanks everyone for your responses.

It is my understanding all the Linux servers are DNS clients pointing to Microsoft DNS servers, there are no Bind servers.  So my take away is etc/resolv.conf must be configured on the linux client servers to allow DNSSEC over port tcp 53.
0
 

Author Comment

by:BigmacMc
ID: 40308658
Is it safe to say that DNSSEC introduces sizable increase in DNS traffic?  That slow WAN/LAN links could possibly be impacted?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40308718
If your /etc/resolv.conf points to a server that cannot handle DNSSEC, then you need to consider installing a server that does or upgrade the server configuration to do so.

Regardless of the size of the traffic, if you do allow for it, then you may be blocking traffic to some zones.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40309346
The traffic should have been accomodated 10 years ago.
Either way DNS does not use significant traffic.
0
 

Author Closing Comment

by:BigmacMc
ID: 40323486
Thanks for the assistance
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
auto mounter on hp-ux 2 63
Unix Command -- Challenging  question 7 105
UNIX SCP 5 95
Authenticate using sesu from script 7 152
Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question