			ZONE TRANSFER MITIGATION


0. If you have completed the TSIG exercize from the DNS/DNSSEC workshop, skip to #5

1. There a number of ways to block zone transfer to unauthorized users.  Router, firewall,
   and DNS server configurations (e.g., in named.conf) all provide mechanisms to
   filter on source IP address and they should be used.  However a simple, secure and 
   flexible way to control zone file access is by using TSIGs or keys for access.

   The steps to do so on our DNS machine are as follows.

   Edit the zone file section of your /etc/bind/named.conf to look like below.

key tldX-key {
  algorithm hmac-sha256;
  secret "5+ULDbQJhG0lsBM=";
};
zone "tldX." IN {
  type master;
  file "/etc/bind/zonefile";

  allow-transfer { key tldX-key; };
};

   replacing X with your group number.

2. Generate a TSIG key:

   dd count=1 bs=16 if=/dev/random 2>/dev/null | openssl enc -base64

   and replace "5+ULDbQJhG0lsBM=" above with what you generated.

   Restart the server

   sudo service bind9 restart

3. Test it out.

   dig axfr tldX @127.0.0.1

   This should have failed.  Inspect end of /var/log/syslog

   tail /var/log/syslog

   Inspect end of /var/log/syslog on NOC as well - you should AXFR
   denied log messages there as well.

4. Now test the transfer with the key.

   dig -y hmac-sha256:tldX-key:"5+ULDbQJhG0lsBM=" axfr tldX @10.X.1.1

   replacing "5+ULDbQJhG0lsBM=" with the key generated above.
   This simulates the interaction between slave and master DNS server
   during zone updates.

5. Detecting zone transfer attempts.  On your NOC machine,  create swatch_syslog.conf
   and cut and paste below int it.

watchfor /client (.*)\43(.*)( zone transfer )'(.*)\/.XFR\/IN' denied$/
         mail=tldadmin@localhost,subject=Denied AXFR for zone '$4' from $1
         threshold track_by=$1,type=threshold,count=2,seconds=60

    then start swatch following the syslog file.

    sudo swatch -c swatch_syslog.conf --tail-file=/var/log/syslog --daemon

    then watch your email

    mutt

6. From the DNS machine or elsewhere try a zone transfer 

    dig axfr tldX @10.X.1.1

    do this again.

    You have to d this at least twice in succession. Why?

    Swatch provides various tools to minimize "noise".  The "threshold" statement
    above is one such tool where, in this case, there must be at least 2 matches
    in 60 seconds for an alert email to be generated.