1
00:00:00,000 --> 00:00:16,820
Hey everyone and welcome back. So now what I want to talk to you about is again related

2
00:00:16,820 --> 00:00:21,160
to the security of your system with respect to your DNS configuration. What we're now

3
00:00:21,160 --> 00:00:29,640
going to do is discuss sending binds to jail, which sounds pretty dramatic, but the reality

4
00:00:29,640 --> 00:00:35,120
is it's not so dramatic. It's just a cool little configuration to protect your internal

5
00:00:35,120 --> 00:00:39,960
system with respect to your DNS configuration. So let's actually talk about how it works

6
00:00:39,960 --> 00:00:44,520
and the main components that we have to know for the LPIC2 examination. When you happen

7
00:00:44,520 --> 00:00:53,439
to be exposing a DNS server, there is no way around it. The DNS server, like all applications,

8
00:00:53,439 --> 00:00:59,280
can be vulnerable. Now of course you try your best to shore up your security to minimise

9
00:00:59,280 --> 00:01:05,239
this possibility, but the reality is with respect to computer systems, vulnerable software

10
00:01:05,239 --> 00:01:12,120
is always a possibility. Now what happens if this vulnerable software is compromised?

11
00:01:12,120 --> 00:01:16,760
And this is what we're really trying to plan for. We're not going to plan for an impenetrable

12
00:01:16,760 --> 00:01:22,719
DNS server that is not realistic. What we want to do is you want to plan for the event that

13
00:01:22,719 --> 00:01:28,280
the DNS server becomes compromised. How can we limit the blast radius? How can we limit

14
00:01:28,280 --> 00:01:33,640
the damage that that would cause to our internal system? So here is the deal. Imagine that

15
00:01:33,640 --> 00:01:40,079
our DNS server was compromised by an attacker. Okay. So they now have access to this system.

16
00:01:40,079 --> 00:01:45,120
And what that potentially means is that they have access to our file system. So you'll

17
00:01:45,120 --> 00:01:49,960
notice that particular file, say for example within the Etsy directory, if we scroll on

18
00:01:49,960 --> 00:01:55,840
up things like our password file, look at the permissions right here, even though the

19
00:01:55,840 --> 00:02:02,480
person on the system is not the root user, anyone could still ultimately read this file

20
00:02:02,480 --> 00:02:07,600
if they had access to the system. So even if the person who compromised the server was

21
00:02:07,600 --> 00:02:12,400
not able to get root access, just by being able to access the file system, they could

22
00:02:12,400 --> 00:02:17,560
potentially read some sensitive files. So what we want to do is we want to implement something

23
00:02:17,560 --> 00:02:24,159
known as CH root. This is going to allow us to effectively change our root file system

24
00:02:24,159 --> 00:02:30,159
or at least the appearance of our root file system relative to the bind nine daemon. So

25
00:02:30,159 --> 00:02:34,840
really what is going to happen is that our name d service is going to be locked down

26
00:02:34,840 --> 00:02:41,280
in such a way that the service itself can only see files related to the service. So think

27
00:02:41,280 --> 00:02:48,359
about it like this. Let me cd to my root directory and I'll do an LS dash L. So here is our generic

28
00:02:48,359 --> 00:02:53,359
file system. As we know, we have the root and then branching off. We have all of these other

29
00:02:53,400 --> 00:02:59,760
directories such as the bin directory and the boot directory, so on so forth all the

30
00:02:59,760 --> 00:03:06,680
way down. Now what we want to do is we want to create a subdirectory structure that mirrors

31
00:03:06,680 --> 00:03:12,520
this structure within a particular file. Now again, this might sound a little bit confusing.

32
00:03:12,520 --> 00:03:17,640
Let's see what I mean in action then. So let's say we had configuration files within our root

33
00:03:17,640 --> 00:03:23,040
directory. We would go into the etsy directory and then bind and then within here we could

34
00:03:23,079 --> 00:03:28,639
have something like say named dot comf as we've seen before. Okay, what we would actually want

35
00:03:28,639 --> 00:03:34,159
to do is we would want to create our own directory structure. So like I say, we could actually

36
00:03:34,159 --> 00:03:42,239
have a directory called ch root slash name d and then within this directory structure, we could

37
00:03:42,239 --> 00:03:50,120
just mirror this type of structure. So we go in and do it say bind and then named dot comf. So

38
00:03:50,159 --> 00:03:55,240
what we do is we create this directory structure right here and we configure our system in such a

39
00:03:55,240 --> 00:04:01,000
way that the bind daemon only can actually see what is within this directory structure. So really

40
00:04:01,000 --> 00:04:07,439
when it looks in, it actually sees this as the root of the directory, this part right here, and it

41
00:04:07,439 --> 00:04:12,759
can't actually break out from within this directory structure. That means that when we want to be

42
00:04:12,759 --> 00:04:18,319
able to access our bind configuration files, we go through etsy bind named dot comf. We still

43
00:04:18,360 --> 00:04:26,159
can do this, but when say for example, an attacker may compromise our bind server, when they are

44
00:04:26,159 --> 00:04:31,439
safe, for example, within the etsy directory here, they're not going to be able to see this password

45
00:04:31,600 --> 00:04:36,399
file that we talked about. So let me show you what I mean here. Okay, so what I will do here is I

46
00:04:36,399 --> 00:04:43,120
will say mkdir dash p forward slash ch root forward slash named d. Oh, and of course need my

47
00:04:43,120 --> 00:04:48,319
super user privileges. Okay, so if I now go to the root of my directory and do a long listing,

48
00:04:48,480 --> 00:04:54,000
notice now we actually have this new folder here ch root. If we go into this directory, we do an

49
00:04:54,000 --> 00:05:00,519
ls, we now have named d. And within here, what we want to do is to basically recreate the directory

50
00:05:00,519 --> 00:05:06,759
structure for all the folders and sub folders that the bind service needs to operate. So things

51
00:05:06,759 --> 00:05:13,199
like, you know, the etsy directory, we could do mkdir etsy. Of course, need to do so, though, I

52
00:05:13,199 --> 00:05:19,759
could do mkdir make the dev directory and again, super user privileges. And I could do the mkdir

53
00:05:19,920 --> 00:05:25,240
var directory. So within here, we are ultimately recreating the directory structure. And what

54
00:05:25,240 --> 00:05:30,039
we're going to do is we're going to point our bind configuration to this particular folder

55
00:05:30,039 --> 00:05:35,680
structure. And it's going to be in such a way that the bind service will never be able to break

56
00:05:35,759 --> 00:05:42,519
out of this directory structure. So basically, if someone compromises the system, this here is going

57
00:05:42,519 --> 00:05:48,199
to look like the root directory structure, whereby the root is actually encased within this

58
00:05:48,199 --> 00:05:53,920
particular directory. Now how in earth do we actually get our service to see this particular

59
00:05:53,960 --> 00:05:59,800
file or this particular location as the root directory? Well, what I'll do is I'll go to my

60
00:05:59,879 --> 00:06:06,000
root file system. Here we are right here. I'll go into the etsy directory, I'll go into the default

61
00:06:06,000 --> 00:06:11,920
directory. And notice I have this configuration file called bind, let me do sudo nano bind nine.

62
00:06:12,240 --> 00:06:18,920
Let's go in here. And within here, what I want to do is do dash t to specify the top level

63
00:06:18,920 --> 00:06:23,600
directory for the roots. And I will actually specify it's not the root directory, it's going to be

64
00:06:23,600 --> 00:06:29,480
within ch roots, forward slash named d. And that is all it actually takes. So that means that the

65
00:06:29,480 --> 00:06:34,879
bind daemon is going to be locked within this particular directory structure. So really, the

66
00:06:34,879 --> 00:06:39,800
hard work here is to go through and to recreate the directory structure with all the correct

67
00:06:39,800 --> 00:06:45,439
sub directories and configuration files needed for the bind server to operate. Like I say, the good

68
00:06:45,439 --> 00:06:52,040
news is that once that is done, say for example, I go into the etsy directory, and I create a bind

69
00:06:52,040 --> 00:06:59,240
directory like so. And I go into bind, I can create a name.conf configuration file. And again, I

70
00:06:59,240 --> 00:07:05,800
just keep forgetting this sudo. There we go. As we can see here, within this directory structure, we

71
00:07:05,800 --> 00:07:11,240
are mirroring everything that is actually needed at say bind. And of course, we would need our other

72
00:07:11,240 --> 00:07:19,160
configuration files such as name.conf.options and local so on so forth. And like I say, anyone who

73
00:07:19,160 --> 00:07:24,840
breaks into the system using that particular service will not be able to escape out of this

74
00:07:24,840 --> 00:07:30,640
directory structure. The way I can right now, I can just keep moving back directories like so and get

75
00:07:30,640 --> 00:07:36,879
to the real root file system. However, an attacker will not be able to do such a thing due to the

76
00:07:36,879 --> 00:07:43,960
lockdown configuration of as we call it, sending bind to jail using these simple steps to protect

77
00:07:43,959 --> 00:07:49,519
our system in the event that the DNS server becomes compromised. So I know this was a lot to deal

78
00:07:49,519 --> 00:07:54,759
with within this skill. It definitely is one of the more challenging objectives within the LPEG2

79
00:07:54,759 --> 00:08:00,439
examination. So again, I encourage you to rewatch this skill if you have to. And certainly, as

80
00:08:00,439 --> 00:08:06,199
always, I recommend you try to lab up these configurations to help build your familiarity.

81
00:08:06,199 --> 00:08:10,759
But for now, that is us for DNS. I hope this has been informative for you. And I'd like to thank you

82
00:08:10,759 --> 00:08:11,319
for viewing.