red h at ®

®
TRA I NING

C H A PT E R 4

NETWORK PORT SECURITY

Overview

Goal To permit a n d reject access to network services u s i n g

advanced S E L i n u x a n d fi rewa l l d f i l t e r i n g t e c h n i q u es.

Objectives • Review f i rewa l l d conce pts a n d m a n a g e m e n t c o m m a n d s

covered i n p rev i o u s c o u rses.

• Confi g u re m o re c o m p lex firewa l l c o n f i g u ra t i o n s u s i n g

fi rewa l l d ' s s u p p ort for " r i c h l a n g u a g e ru l es."

• Desc r i b e and i m p l e ment Network A d d ress Tra n s l a t i o n

( N AT ) .

• E n s u re n etwork p o rt s have t h e co rrect S E L i n u x t y p e so

that s e rvices a re a b l e to bind to t h e m .

Sections • M a n a g i n g F i rewa l l d (and Practice)

• M a n a g i n g R i c h R u les (and Pract ice)

• M a s q u e r a d i n g and Port Forwa rd i n g (and Pract ice)

• M a n a g i n g S E L i n u x Port L a b e l i n g (a n d Practice)

Lab • N etwo rk P o rt Secu rity

RH254-RH EL 7-en-1 -2 0140711 89

C h a pter 4. N etwork Port Secu rity

M a n a g i n g F i rewa l l d

O bject ives
After c o m p l e t i n g t h i s secti o n students s h o u l d be a b l e t o review f i rewa l l d conce pts a n d
m a n a g e m en t commands covered i n prev i o u s cou rses.

Fi rewa l l d ove rview

f i r ewalld i s t h e defa u l t m e t h o d i n R e d Hat Enterprise L i n u x 7 f o r m a n a g i n g host-level
fi rewa l l s . Sta rted from t h e firewalld . se rvice sys temd s e rvice, f i r ewalld m a nages the
L i n u x kernel netfilter s u bsystem using the l ow-level i p t ables, ip6t ables, a n d e b t ables
c o m m a n d s.

N ote
The firewalld . se rvice a n d ipt ables . se rvice, i p 6 t ables . se rvice, a n d
e b t ables . se rvice services confl i ct w i t h e a c h ot h e r. To p reven t accidentally start i n g
o n e o f t h e * t ables . s e rvice s e rv i ces ( a n d w i p i n g o u t a ny r u n n i n g f i rewa l l config i n
t h e p ro cess), it is g o o d p ractice t o mask t h e m u s i ng systemctl.

[ r oot@s e rv e rX -]# f o r SERVICE in iptables ip6tables ebtables ; do

> systemct l mask ${SERVICE } . s e rvice
> done

firewalld separates a l l i n c o m i n g t raffic into zones, with e a c h zone having its own set of rules.
To c h e c k w h i c h zone to use for a n i n c o m i n g connection, firewalld uses t h i s logic, w h e re t h e
fi rst r u l e t h a t matches wins:

1. I f t h e source address o f a n i n c o m i n g p a c ket matches a sou rce r u l e set u p for a zone, that
pac ket will be routed t h r o u g h t h a t zone.

2. I f t h e incoming interface f o r a p a c ket matches a f i lter s e t u p f o r a z o n e , t h at z o n e w i l l be

used.

3. Otherwi se, the default zone i s used. The defa u l t zone i s not a sepa rate zone; i nstead, it
poi nts to o n e of t h e other zones defined o n t h e system.

U n l ess ove r r i d d e n by a n a d m i n istrator o r a Networ kManag e r configuration, t h e defa u l t zone for

a ny new n etwork i nterface w i l l be set to t h e pu blic zone.

A n u m b e r of p redefined zones a re s h i pped with firewalld, each with t h e i r own intended u s a g e :

Default Configuration o f firewalld Zones

Zone n a m e Defa u l t confi g u ration

t ru s t ed A l low a l l i n co m i n g t ra ffic.

home Reject i n c o m i n g traffic u n l ess re lated to outgoing t raffic o r m a t c h i n g

t h e ssh, mdns, ipp - clien t , samb a - clien t , o r dhcpv6 - client
p redefi ned serv i ces.

90 R H254- R H E L 7-en-1-20140711
 M a n a g i ng f i rewa l l d

Zone n a me Default configuration

i n t e r nal Reject i n c o m i n g t raffic u n less rel a ted to o u t g o i n g traffic o r m a t c h i n g

t h e s s h , mdns, ipp - clie n t , s amb a - clien t , or d h c pv6 - c lien t
p redefined servi ces (same a s t h e home zone t o start w i t h).

wo r k Reject i nc o m i n g t raffic u n less rel ated t o o u t g o i n g traffic o r m atc h i n g

the s s h , ipp - clie n t , o r d h c pv6 - clie n t predefi ned services.

pu b lic Reject i n c o m i n g t raffic u n less rel ated to o u t g o i n g traffic or m a t c h i n g

t h e s s h o r d h c pv6 - c lient p redefi ned servi ces. The default zone for
newly added network interfaces.
e x t e r n al Reject i n c o m i n g t raffic u n less rel ated to outgoing traffic o r m a t c h i n g
the s s h p redefi ned servi ce. O u t g o i n g 1 Pv4 t raffic forwa rded t h r o u g h
t h i s zone i s masqueraded to l o o k l i ke it o r i g i n a ted f r o m t h e 1 Pv4
a d d ress of the outgoing network i n te rface.

dmz Reject i n c o m i n g t raffic u n less rel ated to o u tg o i n g traffic or m a t c h i n g

t h e s s h p redefi ned service.

bloc k Reject a l l i nc o m i n g t raffic u n less rel a ted to outgoing t raffic.

d ro p D r o p a l l i n co m i n g t raffic u n less rel ated to outgoing t raffic (do not even

res p o n d w i t h I C M P e rrors).

M a n a g i n g fi rewa l l d
f i r ewalld can be m a n a ged i n t h ree ways:

1. U s i n g the c o m m a n d- l ine tool f i r ewall - cmd.

2. U s i n g the g ra p h i c a l tool f i r ewall - c on fig.

3. U s i n g the confi g u ra t i o n fi les in / e t c / f i r ewalld/.

In most cases, e d i t i n g the conf i g uration fi les d i rect l y i s not recommended, but it c a n be usef u l to
copy configurations i n this way when using confi g ura t i o n m a n agement tools.

Configure fi rewa l l setti ngs with f i rewa l l- c m d

T h i s sect i o n w i l l f o c u s o n m a n a g i n g f i r ewalld u s i n g the c o m m a n d - l i n e t o o l f i r ewal l - cmd.

f i r ewall - cmd is i nstal led a s part of the m a i n firewal/d p a c ka ge. f i r ewall - cmd can perfor m
the s a me a c t i o n s a s fi rewal l - config.

The f o l l o w i n g table l i sts a n u m be r of frequently used f i r ewal l - cmd c o m m a n d s, a lo n g w i t h a n

e x p l a n a t i o n . N ote t h a t u n less otherwise s pecified, a l m ost a l l c o m m a n d s w i l l work o n the runtime
config u ra t i o n , u n less the - - pe rmane n t option is specified. M a ny of the com m a n d s l i sted take
t h e - - zone=<ZONE> option to dete r m i ne w h i c h zone t hey affect. I f - - zone is o m itted from
t h ose c o m m a nds, the default zone i s u sed.

W h i l e configuring a f i rewa l l , an a d m i n i st rator will n o r m a l l y a p p l y a l l c h a n ges to the - -

pe rma n e n t config u rat i o n , a n d then act ivate t h ose c h a nges with f i r ewall - cmd - - r eload.
W h i l e test i n g out new, and pos s i b l y d a ngerous, ru les, an a d m i n i st rator c a n choose to work
o n the runtime confi g u ra t i o n by o m itting the - - pe rman e n t option. In t h ose cases, a n ext ra
o p t i o n c a n be used to a ut o m a t i ca l l y remove a rule after a cert a i n a m o u n t of t i me, p revent i n g a n
a d m i n istrator from accident a l l y l o c k i n g o u t a system: - - t imeou t = < TIMEINSECONDS>.

R H 25 4- R H E L7-en-1-20140711 91
C h a pter 4. N etwork Port Secu rity

f i r ewall - cmd com m a n d s Explanation

- - ge t - default - zone Q u e ry the c u r rent defa u l t zone.

- - set - default - z o n e=<ZONE> Set the defa u l t zone. T h i s c h a nges

both the r u n t i m e a n d the permanent
confi g u rat i o n .

- - get - zones List all ava i l a b l e zones.

- - get - se rvices L i st a l l predefined services.

- - ge t - ac t ive - zo n e s L i st all zones c u rrently i n use ( have

an i nterface o r s o u rce t i ed to t h em),
along with their i nterface a n d sou rce
i nformation.

- - add - so u r ce=<CIDR> [ - - zone=<ZONE>] Route a l l t raffic c o m i n g from the

IP a d d ress o r network /netmask
<CIDR> to t h e specified zone. I f n o
- - z o n e = option i s prov i d e d , t h e
d e f a u l t zone w i l l be used.

- - r emove - so u r ce=<CIDR> [ - - zone=<ZONE> ] Remove t h e r u l e rout i n g a l l traffic

c o m i n g from t h e IP a d d ress o r
network/netmask <CIDR> f r o m t h e
specified z o n e . I f n o - z o n e = o p t i o n
-

i s p rovided, t h e defa u l t zone w i l l be

used.

- - add - i n t e r f ace=<INTERFACE> [ - - Route a l l t raffic c o m i n g fro m

zone=<ZONE> ] <INTERFACE> to the s p e c i fied zone.
I f no - zone= option i s provided,
-

t h e defa u l t zone w i l l b e used.

- - c hange - in t e r face=<INTERFACE> [ - - Associate t h e i n te rface w i t h <ZONE>

zone=<ZONE> ] i n stead of its c u rrent zone. If n o
- - zone= option is prov i d e d , t h e
defa u l t zone w i l l b e used.

- - list - all [ - - zone=<ZONE> ] List a l l conf i g u red i nterfaces,

sou rces, services, and ports for
<ZONE>. I f n o - - zone= option is
p rovided, t h e defa u l t zone w i l l be
used.

- - list - al l - zones Retri eve all i nformation for all zones

(i nterfaces, s o u rces, ports, servi ces,
etc.).

- - ad d - s e r vice=<SERVICE> A l low t raffic to <SERVICE>. I f n o

- - z o n e = option i s provi d e d , t h e
defa u lt zone w i l l be used.

- - add - po r t = <PORT/PROTOCOL> A l low t raffic to the <PORT/

PROTOCOL> port(s). If no - - zone=
option is prov i d e d , t h e defa u l t zone
w i l l be used.

92 R H 25 4- R H EL 7 - e n -1-20140711
-

M a n a g i n g f i rewa l l d
-

f i r ewall - crud c o m m a n d s Explanation

.... - - r emove - se rvice=<SERVICE> Re move <SERVICE> from t h e

a l l owed l i st for t h e z one. I f no - -
zone= o p t i o n is prov i d e d , t h e
- defa u l t z o n e w i l l b e u s e d .
- - r emove - po r t =<PORT/PROTOCOL> Re move t h e <PORT/PROTOCOL >
port(s) from t h e a l l owed l ist for
the zone. If n o - - zone= o p t i o n is
p rovi d e d , the defa u l t zone w i l l be
used.
-

- - r eload D rop the r u n t i m e config u ration a n d

a p p l y t h e persistent c o nf i g u ra t i o n .
-

fi rewa l l - c m d exa m p l e
T h e fo l l owi n g exa m p l es s h ow t h e defa u lt z o n e b e i n g s e t to d m z , a l l t raffic com i n g from t h e
- 1 9 2 . 168 . a . 0 / 2 4 n etwork b e i n g a s s i g n e d t o t h e in t e r nal zone, a n d t h e network p o rts for
mysql b e i n g o p e n e d o n the i n t e r nal zone.

-
[ r oot@s e r v e rX -]# firewall - cmd - - set - default - zone=dmz
[ r oo t @s e r v e rx -]# firewall - cmd - - permanent - - zone=in t e rnal - - ad d - source=192 . 168 . 0 . 0/24

I
[ r oo t @s e r v e rX -]# firewall - cmd - - pe rmanent - - zone=in t e rnal - - add - s e rvice=mysql
- [ root@serverx -]# firewall - cmd - - reload
....___ _ ���-�-��� � - - - -· ���

Fi rewa l l d confi g u ra t i o n files

-
firewalld config u ra t i o n f i l es a re stored i n two p l aces: / e t c / f i r ewalld a n d
/ u s r /lib/firewalld. I f a conf i g u ra t i o n f i l e w i t h t h e s a m e n a m e i s stored i n both l ocat i o n s ,
t h e vers i o n from / e t c / f i r ewalld/ w i l l be u s e d . T h i s a l l ows a d m i n i st rators to ove r r i d e defa u l t
-
zones a n d sett i n g s w i t h o u t fea r o f t h e i r c h a n g es b e i n g w i p e d o u t b y a p a c k a g e u p d ate.

-
R Refe re n ces
firewall - cmd(1), fir ewall - config(1 ) , firewalld (1 ), f i r ewalld . zone(5), a n d
f i r ewalld . zones(5) m a n pages
-

- RH254-RH E L 7 - en -1 -20140711 93
 -

C h a pter 4. N etwork Port Secu rity

P ra c t i ce : C o n f i g u r i n g a F i rewa l l
-

G u i d e d exe rc i se
-

-··-----
r�achines
I n t h i s l a b, you w i l l confi g u re a b a s i c fi rewa l l d fi rewa l l .

-
Outcomes:
A fi rewa l l config u red o n se rve rX to a l low h t t ps t raffic from yo u r d e s k t opX system.

Before you begin . . . -

• Reset y o u r d e s k t opX syste m .

• Reset yo u r se rve rx system.

As p a rt of a n ongoing p roj ect to t ra c k t h e d e s i g n ated caffe i n ated bevera g e fetc her of t h e d ay,
you have b e e n tasked with confi g u r i n g a basic web server a n d fi rewa l l o n yo u r serverX syste m . -

Yo u r set u p m u st meet t h ese req u i re m e nts:

-
• T h e httpd and mod_ssl packages m u st be i n sta l l e d o n se rve rX.

• The h t t pd . se rvice m u st be e n a b l e d a n d started on se rve rx.

-

• U nt i l y o u r i n -house web d eve l o p e rs co m p l ete the act u a l a p p l ication, the web server s h o u l d
se rve a p l a c e h o l d e r p a g e w i t h t h e text COF FEE ! .
-

• fi rewa l l d m u st be e n a b l ed a n d started o n se rve rX.

• The fi rewa l l d confi g u ra t i o n o n se rverX m u st use the dmz z o n e for a l l u n s pecified -

connections.

• Traffic from t h e 172 . 25 . X . 0/24 s u b n et m u st be r o u t e d i nto t h e wo r k zone.

• T h e wo r k zone s h o u l d have a l l t h e n e cessary ports for h t t ps o p e n e d , b u t u ne n c rypted h t t p

t raffic s h o u l d b e fi ltered.
-

D 1. Ve rify t h a t fi rewa l l d i s e n a b l e d a n d r u n n i n g o n yo u r se rverX system.

�--- - ----- - -· - -----��-- - --- - - --�-��--- - -,

D 1 .1 . -
[ st udent@serverX -] $ sudo systemctl s t a t u s firewalld . se rvice

Verify that t h e Loaded l i n e e n d s in enabled a n d that t h e Ac tive l i n e specifies -

r u n ning. I f t h i s is n ot t h e case, e n a b l e a n d start the firewalld . se rvice
service u s i n g sys temc t l.
-
D 2. I n sta l l the httpd and mod_ssl p a c kages.

I
-
- - --- -·
--- - - - �-� --
·
-
- - - - -- - - -
---1
� -------- - - --- -

0 2.1 .
[ s t u d e n t@ s e r v e r x -] $ s u d o y u m install h t t pd mod_ssl l -
j
- _ ___ J

D 3. E n a b l e a n d start the h t t pd . se rvice service.

-

94 R H254- R H E L 7 - e n -1 -20140711 -
-

G u i d e d exercise
-

D 3.1 . [ s t u d e n t@s e r v e r X - ] $ sudo systemctl enable h t t pd . se rvice

[ s t u d e n t @s e r v e r X - ] $ sudo systemctl s t a r t h t t pd . se rvice

D 4. C reate the p l a c e h o l d e r /var /www/ h tml/index . h t m l f i l e w i t h t h e contents COFFEE ! .

....

D 4.1 . [ s t u d e n t @s e r v e r x - ] $ sudo vim /var/www/h t ml/index . html

[ s t u d e n t@se r v e r X - ] $ cat /var/www/ h t ml/index . html
-
COFFEE !

-
D 5. Confi g u re t h e f i rewa l l d d a e m o n o n se rverX to route a l l t raffic t h ro u g h the dmz zone by
d e fa u lt.

D 5.1 .
-
I [ s t u d e n t@se r v e r X - ] $ s u d o firewall - cmd - - set - default - zone=dmz

D 6. Config u re the f i rewa l l d d a e m o n on se rverX to ro ute a l l t raffic from 172 . 25 . x . 0/24

-
t h ro u g h t h e wo r k zone.

D 6.1 .
[ s t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - permanent - - zone=wo r k - - add ­
-
sou rce=172 . 25 . X . 0/24

... D 7. O p e n u p i n c o m i n g h t t p s t raffic for t h e wo r k z o n e .

D 7.1 .
[ s t u d e n t@ s e r v e r X - ] $ sudo firewall - cmd - - permanent - - zone=wo r k - - add ­
- se rvice=h t t p s

D 8. Activate t h e c h a n g es to y o u r fi rewa l l .

�
-
·
D 8 .1 .
I [ s t u d e n t @s e r v e r - ] $ sudo firewall - cmd - - reload
i
-

D 9. I n s pect t h e confi g u ra t i o n of t h e r u n n i ng fi rewa l l o n yo u r s e rverX syste m .

-
D 9.1 . [ s t u d e n t@ s e r v e r X - ] $ sudo firewall - cmd - - get - default - zone
dmz

-
D 9.2.
[ s t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - get - ac t ive - zones
dmz
i n t e r face s : e t h 0
-
wo r k
s o u r c e s : 1 7 2 . 2 5 . X . 0/24
ROL
-
s o u r c e s : 1 7 2 . 2 5 . 0 . 252/32

-
R H254- R H E L 7-e n -1 -20140711 95

-
 -

C h a pter 4. N etwork Port Secu rity

D 9.3.
[ s t u d e n t@se rverX - ] $ sudo firewall - cmd - - zone=wo r k - - li s t - all
wo r k
i n t e rfaces : -

s o u r ce s : 172 . 2 5 . X . 0/24
s e r vices : d h c pv6 - c l i e n t h t t p s i p p - clie n t s s h
po r t s :
-
m a s q u e rade : no
fo rwa r d - po r t s :
icmp - bloc k s :
r i c h r ul e s : -

D 10. Fro m y o u r d e s k t opX system, use curl to test access to both

-
h t t p : / / s e r ve rX . example . c o m a n d h t t p s : / / s e rve rX . e x a m p l e . c o m . T h e
u n e n crypted co n n ection s h o u l d fa i l w i t h a No rou te to host error message, w h i l e t h e
e n c rypted c o n n e c t i o n s h o u l d show y o u r content.

S i n ce c u rl d oes n ot t r u st t h e p l a ce h o l d e r s e l f-si g n e d certificate o n s e rve rx, you wi l l

have t o use t h e - k option t o s k i p certificate va l i d a t i o n .

D 1 0.1 .
[ s t u d e n t@de s k t o pX - ] $ curl h t t p : //serve rX . example . com
c u r l : ( 7 ) Failed c o n n e c t to s e rve rX . examp l e . com : B e ; No route to hos t
-

D 1 0.2.
[ s t u d e n t@de s k t o pX - ] $ curl - k h t t p s : //serverX . example . com
COFFEE ! -

96 R H254- R H E L 7 - e n -1 -20140711 -

-
-

M a n a g i n g R i c h R u l es
-

....
M a n a g i n g R i c h R u l es

- O bject ives
After com p l et i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e t o config u re m o re com p l ex fi rewa l l
confi g u ra t i o n s u s i n g fi rewa l l d ' s s u p port f o r " r i c h l a n g u a g e r u l es."
.....

R i c h r u l es c o n ce pts
- A p a rt f ro m t h e reg u l a r zones a n d se rvices sy n t a x t h a t firewalld offe rs, a d m i n i st rators have
two other options for a d d i ng fi rewa l l r u les: direct rules and rich rules.

- D i rect r u l e s
D i rect r u l es a l l ow a n a d m i n i strator to i n sert h a n d -coded { i p , ip6 , e b } t ables r u l es i nto
t h e zones m a n a g e d by firewalld. W h i l e powerf u l , a n d expos i n g fea t u res of t h e k e r n e l
- net filt e r s u b syst e m not e x p o s e d t h ro u g h ot h e r m e a n s , t h ese r u l es c a n be h a rd to m a n ag e.
D i rect r u l es a l so offer l ess f l e x i b i l ity t h a n sta n d a rd r u l es a n d rich r u l es. Config u r i n g d i rect
r u l e s is not cove red in t h i s cou rse, but d o c u m e ntation i s ava i l a b l e in the firewall - cmd(1 )
-
a n d firewalld . d i r e c t (S) m a n pages for t h ose a d m i n i st rators w h o a re a l re a d y fa m i l i a r with
{ ip , ip6 , e b } t ables syntax.

U n l ess ex p l i c i t l y i n se rted i nto a zone m a n a g e d by f i r ewalld, d i rect r u l es will be pa rsed before

a ny f i r ewalld r u l e s a re.

- A s h o rt exa m p l e of a d d i n g some d i rect r u l es to b l a c k l ist an I P ra nge:

[ r oot@s e r v e rx - ) # firewall - cmd - - direct - - pe rmanent - - add - chain ipv4 raw blacklist
-
[ r oo t @ s e r v e r X - ] # firewall - cmd - - direct - - permanent - - ad d - rule ipv4 raw PREROUTING 0 - s
192 . 168 . 0 . 0/24 - j blacklist
[ r oo t @s e r v e rx - ] # firewall - cmd - - direct - - pe rmanent - - ad d - rule ipv4 raw blacklist 0 - m
- limit - - limit 1/min - j LOG - - log - p refix " blacklisted "
[ r oo t @ s e r v e r X - ] # firewall - cmd - - direct - - pe rmanent - - ad d - rule ipv4 raw blacklist 1 - j
DROP

Rich rules
firewalld rich rules g i ve a d m i n i st rators a n e x p ressive l a n g u a g e i n w h i c h to e x p ress c u stom
- fi rewa l l r u les t h a t a re not covered by t h e b a s i c f i r ewalld syntax; for exa m p l e, to only a l l ow
c o n n e c t i o n s to a service from a s i n g l e I P a d d ress, i nstead of a l l I P a d d resses routed t h ro u g h a
zone.

R i c h r u l es can b e u s e d to ex p ress basic a l l ow/d e ny ru les, b u t can a l so b e used to confi g u re

l o g g i n g , both to syslog a n d auditd, as we l l as port forwa rd s, m a sq u e ra d i n g , a n d rate l i m it i n g .
-

The b a s i c synta x of a r i c h r u l e ca n b e ex p ressed by t h e fo l l owing b l ock:

-
r u le
[ so u r c e ]
[ destination ]
-
s e r v i c e l po r t l p ro t ocol l icmp - bloc k l mas q u e r a d e l fo rwa r d - p o r t
[ lo g ]
[ au d i t ]
[ ac c e p t l r ej e c t l d r o p ]
-

-
RH254- R H E L 7 - e n -1 -201 40711 97

-
C h a pter 4. Network Port Sec u r ity

A l m ost every s i n g le element of a r u l e can take a d d i t i o n a l a rg u ments i n the form of

opt ion=value.

N ot e
For t h e f u l l ava i l a b l e syntax fo r r i c h ru les, cons u l t t h e f i r ewalld . r ic hlanguage(5)
m a n page.

R u l e o rd e r i n g
O n ce m u l t i ple ru les h ave been added to a zone (or the fi rewa l l in genera l ) , the orde r i n g of rules
c a n h ave a big effect o n h ow the fi rewa l l beh aves.

The b a s i c o rdering of r u les i n s ide a zone is the s a me for a l l zones:

1. Any port forwa rd i n g and m a s q uera d i n g r u les set for t h a t zo ne.

2. Any l o g g i n g ru les set fo r t h a t zone.

3. Any a l low r u les set for t h a t zone.

4. Any deny r u les set for t h at z o ne.

In a l l cases, the fi rst match w i l l w i n . If a pac ket h a s not been m atc hed by a n y r u le in a zone, it w i l l
typi c a l l y b e den ied, b u t zones m i g h t have a d ifferent defa u lt; f o r exa m p le, t h e t ru s t e d zone w i l l
accept a ny u n m atched packet. Also, after matching a l o g g i n g r u le, a pa cket w i l l conti n ue to be
p rocessed a s n o r m a l .

D i rect r u les a re a n exception. M o s t d i rect ru les w i l l b e parsed before a n y other process i n g i s d o n e

b y f i r ewalld, but the d i rect rule s y n t a x a l l ows a n a d m i n i st rator to i n sert a ny rule t hey want
a nywhere in any zone.

Te st i n g a n d d e b u g g i n g
To m a ke test i n g a nd debu g g i n g easier, a l m ost all r u les can be a d ded to the runtime conf i g u ration
w i t h a t i meout. The m o ment the r u l e w i t h a t i meout is added to the f i rewa l l , the ti mer starts
c o u n t i n g down for t h at ru le. O nce the t i mer for a r u le has rea c hed zero seconds, t h at ru le i s
removed from the runtime config u ra t i o n .

U s i n g ti meouts can b e a n i n c red i b l y u sef u l toot w h i le work i n g o n a rem ote f i rewa l ls , espec i a l ly
when test i n g m o re c o m p l icated r u le sets. If a ru le works, the a d m i n istrator c a n add it a g a i n ,
b u t with t h e - pe rmanent option (o r at least w i t h o ut a ti meout). I f the r u l e does n o t work
-

a s i nten ded, maybe even l oc k i n g the a d m i nistrator out of the system , it w i l l be removed
a utomatica l l y, a l lowing the a d m i n i st rator to conti n ue his o r her work.

A t i meout i s added to a runtime rule by a d d i n g the option - - t imeo u t =< TIMEINSECONDS> to

the end of the firewall - cmd t h a t e n a b les the r u le.

Wo r k i n g with r i c h ru l es
f i r ewall - cmd h a s four options for working with rich rules. A l l of t hese options c a n be u sed i n
c o m b i n a t i o n w i t h the reg u l a r - - pe rman e n t o r - - zone=<ZONE> options.

A d d <RULE> to t he spec ified z o n e , o r the defa u l t zone i f n o

r u le= ' <RULE> ' zone is s pecified.

98 R H254- R H E L7-en-1 -201 40711

-

Wo r k i n g w i t h r i c h r u l es
-

Option Explanation
- - r emove - r ich - R e m ove <RULE> to t h e s p e c i f i e d z o n e, o r t h e defa u l t z o n e if
r u le = ' <RULE> ' no zone is specified.

-
- - q u e r y - rich - Q u e ry if <RULE> has b e e n a d d e d to t h e specified zone, o r t h e
r u le= ' <RULE> ' d e fa u lt zone if no zo n e i s s p e c i f i e d . Ret u rns 0 if t h e r u l e i s
p resent. ot h e rw i se 1 .
- - li s t - rich - r u les O u t p uts a l l r i c h r u l es for t h e s p e c i f i e d zone, o r t h e d e fa u l t
z o n e if n o z o n e i s s p e c i f i e d .

A n y config u red rich r u l es a re a l so s h own i n t h e o u t p u t from firewall - cmd - - li s t - all a n d

f i r ewall - cmd - - li s t - all - zones.

R i c h r u l e s exa m p l e s
S o m e exa m p l es o f r i c h r u l es:
. !--���--- ----- ------- � -- - - --------- . - --- . . �-- ----��--� - - ------- - --,

[ r o o t @ s e r v e r X - ] # firewall - cmd - - pe rmanent - - zone=class room - - add - rich - rule= ' rule
family=ipv4 source add ress=192 . 168 . 0 . 11/32 rej ec t '
i
- L___����-��- �--���

Reject a l l t raffic from t h e I P a d d ress 192 . 168 . 0 . 11 i n t h e clas s r oom zone.

-
W h e n u s i n g sou r c e o r d e s t inat ion with a n add r e s s o p t i o n , the family= o p t i o n of r u l e
m u st b e s e t t o e i t h e r ipv4 o r ipv6. -- -·-- -

I
- --�
-- - ·· - -��
-
- ·---- -- - ·------�- - --------- -- -��
---"��---
�
-- -

[ r o o t @ s e r v e r X - ] # firewall - cmd - - add - r ic h - r ule= ' rule se rvice name=ft p limit value=2/m
accept '

A l l ow two new c o n n e c t i o n s to f t p per m i n ute i n t h e d e fa u lt zone.

- N ote t h a t t h i s c h a n g e is o n l y made i n t h e runtime confi g u ra t i o n .

/
; [ r o o t @ s e r v e r X - ] # firewall - cmd - - permanent - - add - rich - rule= ' r ule protocol value=esp
- drop '
' ---�-� ----------- - --- -------- ----

Drop a l l i n co m i n g I Psec e s p p rotoco l p a c kets from a ny w h e re i n t h e defa u lt zone.

-

N ote
-

T h e d i ffere n ce betwe e n rej e c t a n d d ro p l i es i n t h e fact t h a t a rej e c t w i l l s e n d

b a c k a n I C M P pac ket deta i l i n g t h at, a n d why, a c o n n e c t i o n was rejected. A d ro p j u st
- d ro p s t h e p a c ket and does n ot h i n g e l se. N o r m a l l y an a d m i n istrator wi l l want to use
r e j ect for frie n d l y a n d n e ut ra l networks, and d ro p o n l y for host i l e networks.

,- --- ------- - -- ---

i
i
[ r oo t @ s e r v e r X - ] # firewall - cmd - - permanent - - zone=vnc - - add - ric h - rule= ' rule
- family=ipv4 source add ress=192 . 168 . 1 . 0/24 port p o r t =7900 - 7905 protocol= t c p accept ' l
- - - --
�
-��-- ----------- ----- --- ----- --� - ----
- �----- -�---
--- - - ----- _J

Accept a l l TCP p a c kets on po rts 7900, u p to a n d i n c l u d i n g port 7905, i n the vnc z o n e for t h e
-
192 . 168 . 1 . 0 / 2 4 s u bnet.

- R H 2 5 4- R H E L 7-en-1 -201 40711 99

-
 -

C h a pter 4. N etwo r k Port S e c u rity

Log g i n g w i t h r i c h ru l es
W h e n d e b u g g i n g , or m o n itori n g , a fi rewa l l , it c a n be u s ef u l to have a l o g of a ccepted or rej ected
con nections. f i r ewalld can acco m p l i s h this in two ways: by l o g g i n g to syslog, o r by s e n d i n g
messages to t h e ke r n e l a u d i t s u bsystem, m a n a g e d by auditd.
-

In both cases, l o g g i n g c a n b e rate limited. Rate l i m i t i n g e n s u res t h a t system l o g fi l es d o not fill up

w i t h messages a t a rate s u c h that t h e system c a n n ot keep u p , o r fi l l s a l l its disk s p a ce.
-
The basic synta x fo r l o g g i n g to syslog u s i n g r i c h r u l es is:

I log [ p refix= " <PREFIX TEXT> " [ level=<LOGLEVEL > ] [ limit v al u e = " <RATE/DURA TION> " ] -
I

W h e re <LOGLEVEL> is o n e of eme rg, ale r t , c r i t , e r r o r , wa r ning, notice, info, o r debug.

-

<DURATION> c a n be o n e of s for seco n d s , m for m i n u tes, h for h o u rs, o r d for d ays. Fo r exa m p l e,
limit valu e=3/m w i l l l i m i t t h e l og messages to a m a x i m u m of t h ree p e r m i n ute.

I
The basic syntax for l o g g i n g to the a ud i t s u bsyst e m i s :

a u d i t [ limit value= " <RA TE/DURA TION> " ] -

Rate l i m it i n g i s confi g u re d i n t h e same way as fo r syslog l o g g i n g .

-

Logg i n g exa m p l e s
S o m e exa m p l es of l o g g i n g u s i n g rich r u l es:

I
-

[ r oot@s e r v e r x - ] # firewall - cmd - - permanent - - zone=wor k - - ad d - ric h - rule= ' rule se rvice
I name= " ss h " log prefix= " ssh " level= " no t ice " limit value= " 3/m" accept
L--- �����-' -

Accept new c o n n e c t i o n s to s s h from t h e wo r k zone, l o g new connecti o n s to syslog at t h e

notice l eve l , a n d w i t h a m a x i m u m of t h ree message per m i n ute. -

I
1
· [ r oot@s e r v e r x - ] # firewall - cmd - - add - ric h - r u le= ' rule family=ipv6 source
add ress= " 2001 : d bS : : /64" service name= " d n s " audit limit value= " l/ h " r e j e c t '
-
_ t imeout=300

New 1 Pv6 c o n n e c t i o n s from the s u b net 2001 : d b 8 : : /64 in the defa u lt zone to D N S a re
rej ected for t h e next five m i n utes, a n d rejected con n e ct i o n s a re l o g g e d to t h e audit system
with a m a x i m u m of one m essage per h o u r.
-

R Refe re n ces
firewalld . richlanguage(5), firewall - cmd(1 ) , a n d firewalld . d i r e c t ( 5 ) m a n -

pages

100 R H 254-R H E L 7-en-1 -20140711 -

-
-

Practice: Writ i n g C u stom R u l es

.. P ra ct i ce : W r i t i n g C u st o m R u l es

-
G u i d ed exe rc ise
I n t h i s l a b , y o u wi l l c o n fi g u re yo u r se rve rX syst e m t o a l low c o n n ecti o n s t o a ( new) h t t p servi ce,
- but o n l y from d e s k t o pX, and with a rate- l i m i t e d log m essage.

-
Machines:
�-·--- .
Outcomes:
Custom fi rewa l l r u l e s t h a t config u re rate- l i m ited l o g g i n g for specific c o n n ections.

Before you begin . . .

- • Reset y o u r d e s k t opX system.

• Reset yo u r se rverX syste m .

-
You r c o m p a n y i s r u n n i n g a t r i a l t h a t i n c l u d e s s t a r t i n g a web se rve r o n se rve rx, b u t for t h e
d u ra t i o n of t h e t r i a l , o n l y d e s k t o pX s h o u l d b e a b l e to co n n ect. S i nce t h i s cou l d potent i a l l y
g e n e rate m a ny l o g e n t ries, t h i s l o g g i n g s h o u l d b e l i m ited t o a m a x i m u m of t h ree messages p e r
seco n d , a n d a l l l o g m essages s h o u l d b e prefixed w i t h t h e message " N EW HTTP " .

I t h a s b e e n d e c i d e d t h a t you, t h e I T Rock S t a r, w i l l i m p l e m e n t t h i s u s i n g fi rewa l l d rich rules.

-

[ student@serverX
D 1. Fi rst i n sta l l , start, a n d e n a b l e h t t pd .
..--·----- -- -- --� - --- �- - ��-- --- ��-

- D 1 .1 .
- ] $ sudo yum install h t t pd

I [ student@serverX
-

��� - -�
- - ---- - - -- ---

- -��-- -�-- - - - - - �- �· -���

r---- - ��- - -
D t 3.
- -] $ sudo systemc t l enable h t t pd . se rvice
L_ -�--- -�·��-- �-- -
- - -�-�- -- ...i

D 2. C o n fi g u re a fi rewa l l r u l e i n t h e d e fa u l t z o n e t h a t a l l ows traffic to h t t p o n l y from yo u r

-
d e s k t o pX syste m . T h i s t raffic s h o u l d b e l o g g e d , b u t w i t h a m a x i m u m o f t h ree new
c o n n e c t i o n s p e r seco n d .

[student@serverx
-
D 2 .1 . Per m a n e n t l y c reate t h e n e w f i rewa l l r u l e.

- ] $ sudo f i r ewall - cmd - - permanent - - add - rich - rule= ' rule

-
family=ipv4 source address=172 . 25 . X . 10/32 se rvice name= " h t t p " log
level=notice p refix= " N EW HTTP " limit value= " 3 / s " accept '
�----- ---� -� - - - - - �- - --�--....1

: [ student@serverX
-
D 2.2. Activate t h e c h a n g es to yo u r f i re wa l l .
r--- - -- �---- --- - - ----�- -- � - ---
- -----� -- �-- ·�- - --� - - - � ---.
!
i .
-] $ sudo f J. r ewall - cmd - - reload
-
- -�

D 2.3. On yo u r se rve rX syste m , u s e t ail - f to view t h e a d d it i o n s to

- /va r/log/messages in rea l t i me.

RH254- R H E L7 - en ·1·201 40711 1 01

-
 -

C h a pter 4. N etwork Port Secu rity

-

[ s t u d e n t@se rve rX - ] $ sudo t ail - f /var/log/messages

....

D 2 .4. Fro m your d e s k t opX syste m, use c u r l to con nect to the h t t pd service r u n n i n g
o n se rve rx.
-

[ s t u d e n t @d e s k t o pX - ] $ curl h t t p : //serverX . example . com

-
D 2.5. I nspect t h e o u t p u t of y o u r r u n n i n g t ail com m a n d on se rve rx. Yo u s h o u l d see
a messa ge for t h e new connection l i ke this:
-

M a y 9 08 : 04 : 11 s e rve rx k e r nel : N EW H T T P I N = e t h 0 O U T = MAC= . . .

SRC=172 . 2 5 . X . 10 DST=172 . 25 . X . 11 LEN=60 . . . .

1 02 R H 254- R H E L7-en-1 -20140711 -

-
 Masq uera d i n g a n d Po rt Forwa rd i n g

M a s q u e ra d i n g a n d Po rt Fo rwa rd i n g

O bjectives
After com pleting this sect i o n , students s h o u l d be a b l e to desc r i be a n d i m p lement Network
A d d ress Tra n s l a t i o n ( N AT ) .

N etwork Add ress Tra ns l a t i o n ( N AT)

f i r ewalld s u pports two types o f Network Address Translation ( N AT): masquerading a n d port
forwarding. Both c a n be conf i g u red on a b a s i c level with reg u l a r fi rewall - cmd ru les, a n d m o re
a d va n ced fo rwa rd i n g confi g u ra t i o n s c a n be a c c o m p l i s hed w i t h rich ru les. Both forms of N AT
m o d i fy certa i n as pects of a p a c ket, l i ke t he sou rce or dest i n a t i o n , before sen d i n g it o n .

M a s q u e ra d i n g
W i t h masquerading, a system w i l l fo rward pa c kets that a re not d i rectly a d d ressed to i tself to
the i ntended rec i p ient, w h i le c h a n g i n g the source address of t he p a c kets t h at go t h ro u g h to its
own p u b l i c IP a d d ress. W hen a n swers to t h ose p a c kets come i n , the f i rewa l l w i l l then m o d i fy t h e
dest i n at i o n a d d ress to the a d d ress of the o r i g i n a l h ost, a n d sen d t he packet o n . T h i s i s u s u a l l y
u sed o n the edge of a network to p rovide I nternet access to a n internal netwo rk. M a s q uera d i n g is
a fo rm of Network Address Translation ( N AT).

I m po rt a n t
M a s q uera d i n g c a n o n l y b e u sed with I Pv4, not with I Pv6.

Firewall
I nternal I P: 1 0 . 0 . 0 . 1
External I P: 1 . 2 . 3 . 4

Figure 4 . 1 : A sample network layout for NA T

An exa m p le of how m a s q uera d i n g works based on the netwo rk layout described i n Figure 4 . 1 : A
sample network layout for NA T.

R H 254- R H E L7-en-1-20140711 103

 -
-
C h a pter 4. N etwork Port S e c u rity

1. O n e o f t h e m a c h i n es b e h i n d t h e f i rewa l l s e n d s a p a c ket t o a n a d d ress o u t s i d e o f t h e l o ca l

-
netwo rk. T h e p a c ket h a s a sou rce a d d ress o f 10 . 0 . 0 . 100 (t he a d d ress o f t h e m a c h i ne),
a n d a desti n a t i o n a d d ress of 2 . 17 . 39 . 2 14.

2. S i n c e the d esti n a t i o n a d d ress is not on the l o c a l s u b n et, the packet w i l l b e ro uted to t h e

defa u l t g a teway confi g u red on t h e sou rce m a c h i ne; i n t h i s case, 10 . 0 . 0 . 1, t h e I P a d d ress
of the fi rewa l l .
-
3. The fi rewa l l accepts the pac ket, c h a nges the sou rce a d d ress to 1 . 2 . 3 . 4 (the exte r n a l IP for

-
the fi rewa l l ) , stores a refere nce to this c o n n e c t i o n in its con nect i o n state t a b l e, then passes
it to a ro uter on the I nter n et based o n its rout i n g t a b l e.

4. A n a n swer to t h e p a c ket comes b a c k from t h e I nternet. T h e router l o o ks u p t h e con n ection

i n its co n n e c t i o n state ta b l e, t h e n changes t h e d e st i n a t i o n a d d ress to 10 . 0 . 0 . 10 0 (the
ori g i n a l s e n d er), and passes t h e packet o n .

5. The o ri gi n a l s e n d e r receives t h e a n swer to its req u est.

...
Confi g u ri n g m a s q u e ra d i n g
To confi g u re m a s q u e ra d i n g f o r a z o n e with reg u l a r firewall - cmd com m a n d s , use t h e fol l ow i n g
syntax:
-

, [ r oot@s e r v e r X - ] # firewall - cmd - - permanent - - z one=<ZONE> - - add - masq u e r ade

i

T h i s wi l l masq u e ra d e a ny p a c kets sent to t h e fi rewa l l from c l i e nts defi n e d i n t h e sou rces for that
zone (both inte rfaces and s u b nets) t h a t a re n ot a d d ressed to t h e fi rewa l l itse l f.
-

To g a i n m o re contro l over what c l ients w i l l be m a s q ue ra d e d , a rich ru l e c a n be used as we l l .

[ r oot@se rve rX - ] # firewall - cmd - - permanent - - zone=<ZONE> - - add - ric h - r ule= ' rule -

family=ipv4 source add ress=192 . 168 . 0 . 0/24 masque rade '

Po rt fo rwa rd i n g
A n ot h e r fo rm of N AT i s port forwarding. With port forward i n g , t raffic to a s i n g l e port i s forwa rded
-
e i t h e r to a d i fferent port o n the same m a c h i n e, o r to a port on a d i fferent m a c h i ne. T h i s
m e c h a n i s m i s typica l l y used to " h i d e" a se rve r b e h i n d a n ot h e r m a c h i n e, o r to p rov i d e a ccess to a
service on a n a lternate p ort.
-

' I m p o rta nt
When a port forwa rd i s confi g u red to forwa rd p a c kets to a d i fferent m a c h i ne, a ny
re p l ies from t h a t m a c h i n e wi l l n o rm a l l y be sent d i rect l y to t h e orig i n a l c l i e nt from t h a t
-

m a c h i ne. S i nce t h i s w i l l res u l t i n a n i nva l i d c o n n ection o n m ost config u ra t i o n s, t h e

-
m a c h i n e t h a t i s forwa rd ed to w i l l h a v e to b e m a s q u e ra d e d t h ro u g h t h e f i rewa l l t h a t
pe rfo rmed t h e p o rt fo rwa rd i n g .
-
A com m o n confi g u ra t i o n is t o forwa rd a p o rt f r o m t h e fi rewa l l m a c h i n e t o a m a c h i n e
t h a t is a l re a d y m a s q u eraded be h i n d t h e fi rewa l l .

A n exa m p l e o f a port forward based o n t h e n etwork l ayo ut described i n Figure 4. 1 : A sample

network layout for NA T. A ss u m e that t h e m a c h i n e w i t h t h e I P a d d ress 10 . 0 . 0 . 10 0 b e h i n d the
-

1 04 R H 254- R H E L7-en-1 -20140711

-

Port forwa rd i n g
-

fi rewa l l i s r u n n i n g a w e b server o n p o rt 8 0 80 /TCP, a n d t h a t t h e fi rewa l l i s config u re d to forwa rd

..
t raffic co m i n g in on p o rt 80/TCP on its exte r n a l i nterface to port 8 0 80/TCP on t h a t m a c h i n e .

1. A c l i e n t f ro m t h e I nternet s e n d s a p a c ket to port 80 /TCP on t h e exte r n a l i nt e rface o f t h e

fi rewa l l .
-

2. The fi rewa l l c h a n g es t h e dest i n at i o n a d d ress and p o rt of t h i s p a c ket to 10 . 0 . 0 . 100 a n d

8080/TCP a n d forwa rds it o n . T h e s o u rce a d d ress a n d port re m a i n u nc h a n g e d .

3. T h e m a c h i n e b e h i n d t h e fi rewa l l s e n d s a res ponse to t h i s pac ket. S i n c e t h i s m a c h i n e i s b e i n g

m a s q u e ra d e d (a n d t h e fi rewa l l i s confi g u re d a s t h e d e fa u l t gateway), t h i s p a c ket i s s e n t t o
-
t h e o ri g i n a l c l i e n t . a p p e a r i n g to come from t h e exte r n a l i nterface o n t h e fi rewa l l .

Confi g u r i n g port forwa rd i n g

To config u re p o r t forwa rd i n g w i t h reg u l a r f i r ewall - cmd c o m m a n d s , u s e t h e fo l l o w i n g syntax:

[ r oot@s e r v e rX - ] # firewall - cmd - - permanent - - zone=<ZONE> - - add - fo rward ­

port=po r t=<PORTNUMBER> : p roto=<PROTOCOL> [ : toport =<PORTNUMBER> ] [ : toaddr=<IPADDR> ]

Bot h t h e t o p o r t = a n d t oad d r = pa rts a re o pt i o n a l , b u t at least o n e of t h ose two w i l l n eed to b e

-
specified.

As a n exa m p l e, t h e fo l lo wi n g com m a n d w i l l forwa rd incoming con n e c t i o n s on port 5 13/TCP o n

-
t h e fi rewa l l to port 132/TCP o n t h e m a c h i n e w i t h t h e I P a d d ress 192 . 168 . 0 . 254 for c l i e nts
from t h e pu blic z o n e :

1 ·---�-�-�-
-
1
L
[ r oo t @s e r v e r X - ] # firewall - cmd - - permanent - - zone=public - - add - forward -
port =po r t =513 : p roto=tcp : toport =132 : toadd r=192 . 168 . 0 . 254
_
-
To g a i n m o re control over port forwa rd i n g r u l es, t h e fo l l owi n g syntax c a n be u s e d w i t h rich r u l es:

I
- forwa r d - p o r t p o r t =<PORTNUM> p r o t ocol= tcp l udp [ t o - po r t =<PORTNUM> ] [ t o - ad d r =<ADDRESS> ]

An exa m p l e t h a t uses r i c h r u l es to forward t raffic from 192 . 168 . 0 . 0 / 2 6 i n t h e wo r k zone to

- port 8 0/TCP to port 8 0 80/TCP o n the fi rewa l l m a c h i n e itse l f:

[ r oo t @s e r v e rX - ] # firewall - cmd - - permanent - - zone=wo rk - - add - r ic h - r ule= ' rule family=ipv4

- source address=192 . 168 . 0 . 0/26 fo rward - po r t port=aa protocol= t c p t o - p o r t =8080 '

-
R Refe re n ce s
firewalld . ric hlan g u age(5) a n d f i r ewall - cmd(1) m a n pages
-

-
RH254-RH E L 7 - e n -1 -201 40711 105

-
 -

C h a pter 4. N etwork Port S e c u rity

P ra ct i ce : Fo rwa rd i n g a Po rt

G u i d e d exe rc i s e
-

I n t h i s l a b, you w i l l confi g u re yo u r se rve rx system t o forwa rd a req u est t o port 443 / t c p from
d e s k t opX to port 2 2 / t c p .

�Fi*
-

Machines:--
--
-

O utcomes:
C u stom fi rewa l l r u l es that config u re a port forwa rd . -

Before you begin . . .

• Reset y o u r d e s k t opX system. -

• Reset yo u r se rve rX system.

-
Yo u r co m p a n y is r u n n i n g a trial for a n ew bast i o n h ost. As pa rt of t h i s t r i a l , yo u r deskt opX
s h o u l d b e a b l e to con nect to t h e SSH d a e m o n o n yo u r serverX system o n port 443 / t c p . S i n c e
t h i s i s p u re l y a t r i a l , y o u d o not w i s h to b i n d s shd to that p o r t d i re ct l y, a n d o n l y yo u r d e s k t opX
-
s h o u l d be a b l e to co n n ect u s i n g port 443 / t c p .

I t h a s been decided that you, t h e c h os e n one, wi l l i m p l ement t h i s u s i n g fi rewa l l d rich rules.

-

0 1. Confi g u re t h e fi rewa l l o n s e rverx t o forwa rd port 443 / t c p to 2 2 / t c p , b u t o n l y f o r yo u r

d e s k t opX m a c h i ne. T h e I P a d d ress o f you r deskt opX m a c h i n e i s 172 . 2 5 . X . 10.
-

0 1 .1 . Perm a n e n t l y a d d t h e port forwa rd i n g fi rewa l l r u l e on se rve rX.

-
[ s t u d e n t@ s e r v e r X - ] $ sudo firewall - cmd - - permanent - - ad d - rich - rule
' rule family=ipv4 source add ress=172 . 25 . X . 10/32 fo rward - port port=443
protocol=tcp t o - port=22 '
-

0 1 .2. Reload the fi rewa l l confi g u ration to a ct ivate yo u r c h a n g es.

-
!
.
[ s t u d e n t@se rverx - ] $ sudo firewall - cmd - - reload
-�- · -· -·-- � �
· --- - - · - ---
- --·· ·- . --

0 1.3. Test if sshd is now a va i l a b l e on port 443/ t c p from yo u r d e s k t opX syste m . -

[ s t u d e n t@d e s k t opX - ] $ ssh - p 443 serverX . example . com

The a u t h e n t ic i t y of h o s t ' [ s e r v e rX . example . co m ] : 443 { [ 172 . 25 . X . 11 ] : 443 ) ' -

can ' t be e s t ab l i s h e d .
ECDSA key f i n g e r p r i n t is XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX .
Are you s u r e you wan t t o c o n t i n ue c o n n e c t i n g ( ye s / n o ) ? yes
-
s t u de n t@ s e r v e rX . example . com ' s passwo r d : s t udent

106 R H 254-R H E L 7-e n-1 -20140711 -

-
-

M a n a g i n g S E L i n u x Port L a b e l i n g

M a n a g i n g S E L i n u x Po rt L a b e l i n g

- O bj e c t i ves
A f t e r c o m p l et i n g t h i s sect i o n , s t u d e nts s h o u l d b e a b l e to e n s u re n etwork p o r t s have t h e correct
S E L i n u x type so that services a re a b l e to b i n d to them .
...

S E L i n u x p o rt l a b e l i n g
-
S E L i n u x does m o re t h a n j u st f i l e a n d process l a be l i n g . N etwork t raffic i s a l so t i g h t l y e n forced
by the S E L i n u x p o l i cy. One of the methods t h a t S E L i n u x uses for contro l l i n g network t raffic
i s l a b e l i n g network ports; for exa m p l e, i n t h e t argeted p o l i cy, port 22/TCP h a s the l a be l
s s h_po r t_t associated w i t h i t .

W h e never a p rocess w a n t s to l i sten o n a p o r t , S E L i n u x w i l l c h e c k to see if t h e l a b e l associated

w i t h t h a t p rocess (the d o m a i n ) i s a l l owed to bind t h a t port l a b e l . T h i s ca n stop a rog u e service
from t a k i n g over po rts otherwise used by ot h e r ( l eg i t i m a te) n etwo r k services.

M a n a g i n g S E L i n u x p o rt l a b e l i n g
W h e n ever a n a d m i n istrator d e c i d e s to r u n a service o n a n o n sta n d a rd port, t h e re i s a h i g h
c h a n c e t h a t S E L i n u x p o r t l a b e l s w i l l n e e d t o be u pdated. I n s o m e cases, t h e t a r g e t e d pol icy h a s
....
a l re a d y l a b e l ed t h e p o r t w i t h a t y p e t h a t c a n b e u s e d ; f o r exa m p l e, s i n c e p o r t 8008/TCP i s ofte n
u s e d for web a p p l ications, t h a t p o rt is a l re a d y l a be l e d w i t h h t t p_po rt_t, t h e defa u l t port type
for the w e b server.
-

List i n g p o rt l a b e l s
To get a n overview of a l l t h e c u rrent p o r t l a be l ass i g n m e nts, a d m i n i st rators c a n use t h e po r t
-
s u b c o m m a n d o f t h e semanage c o m m a n d . T h e - 1 option w i l l l i st a l l c u rrent assi g n m e nts, i n t h e
for m :

- I
! port_label_ t tcp l udp comma, sepa ra t ed, list, o f, por ts

To o n l y view loca l c h a n g e s to t h e d e fa u l t p o l i cy, a d m i n i st rators can a d d the - C option to t h i s

-
com m a n d .

E xa m p l e o u t p ut:
-

[ r o o t @ s e r v e rx - ] # semanage p o r t -1

- 8 0 8 0 , 8118 , 8123 , 10001 - 10010

h t t p_cache_p o r t_t tcp
h t t p_cac he_p o r t_t udp 3130
h t t p_po r t_t tcp 80 , 8 1 , 443 , 488 , 8008 , 8009 , 8443 , 9000
-

N ote t h a t a port l a b e l ca n a p p e a r twice in the o u t put, o n ce for TCP a n d o n ce for UDP.

-
·� -
N ote
- A g ra ph ic a l too l , system - config - selinux, i s a l so a va i l a b l e f o r a d m i n i st rators w h o
p refe r t o work w i t h G U I t o o l s . T h is tool is p a rt of t h e po/icycoreutils-gui package.

-
R H 2 5 4- R H E L7-en-1 -201 40711 1 07

-
 -

C h a pter 4. N etwo r k Port S e c u rity

-

M a n a g i n g port l a be l s
semanage c a n a l so b e u s e d to a s s i g n n e w p o r t l a b e l s, re m ove port l a b e l s, o r m o d ify e x i st i n g
-
o n es.

I m p o rta nt -

O n l y l oca l m o d i f i c a t i o n s ca n b e removed o r m o d ified. To a l l ow a service to b i n d to a

port l a b e l n o r m a l l y associ ated with a n o t h e r s e rv i ce, a s m a l l p o l i cy m od u l e m ust b e
-
writte n . W r i t i n g a n d g e n e ra t i n g p o l i c y m o d u l es fa l l s o u t s i d e the scope of t h i s cou rse. I t
is a l so n ot poss i b l e to rem ove a port l a b e l f r o m t h e p o l icy without ove r r i d i n g t h e p o l icy
mod u l e that prov i d e d t h a t l a b e l .
-

To a d d a p o r t to a n exist i n g port l a b e l (type), u s e t h e fo l l owi n g syntax:

-

I
[ root@se rve rx - ] # semanage port - a - t port_label - p tcp l udp PORTNUMBER

For exa m p l e, to a l l ow a gopher service to l isten o n p o rt 7 1/TCP:

[ root@s e r v e r X - ] # semanage port -a -t gophe r_por t_t -p t c p 7 1

< .,�,,_
� N ote -

The t ar g e t ed p o l i cy s h i p s with a l a rg e n u m b e r of p o rt types. Per-service

doc u m e ntation o n S E L i n u x types, Bool e a n s , and port types can be fou n d i n t h e service­
-
specific S E L i n u x man pages fou n d in the selinux-policy-devel package.

I f t hese man pages a re not yet i n sta l l ed o n y o u r syst e m , fo l l ow t h i s procedu re:

-

[ ro o t @ s e r v e r X - ] # yum -y install selinux - policy - devel

[ r o o t @ s e r v e r X - ] # mandb
[ r oot@se r v e r x - ] # man - k _selinux -

Removi n g port l a be l s -

The syntax f o r remov i n g a c u stom port l a be l i s t h e s a m e a s t h e syntax f o r a d d i n g a p o r t l a be l ,

b u t i n stead of u s i n g t h e - a option (for Add), t h e - d o p t i o n (for D e l ete) i s u s e d .
....

Fo r exa m p l e, to re m ove t h e b i n d i n g of p o r t 71/TCP to gopher _po r t_t:

[ root@s e r v e r X -]# semanage port -d -t gophe r_por t_t -p t c p 71 -

M od ifyi n g port b i n d i n g s
-
I f a n a d m i n i st rator h a s a c c i d e n ta l l y a s s i g n e d t h e wrong t y p e to a port, o r req u i re m e nts have
c h a ng e d , it's poss i b l e to m o d i fy t h e l a b e l associated with a po rt. This is a m o re eff i c i e n t p rocess
t h a n removi n g the old b i n d i n g and a d d i n g a new o n e. M o d i fications req u i re the - m o pt i o n .
-

Fo r exa m p l e, to m o d i f y p o r t 7 1/TCP f r o m g o p h e r_po r t_t to h t t p_po r t_t, a n a d m i n i st rato r

can u se t h e fo l l o wi n g c o m m a n d :
-

[ root@s e r v e r X - ] # semanage port - m - t h t t p_por t_t - p t c p 7 1

108 R H 2 5 4 - R H E L 7 - e n - 1 - 2 01 4 07 11 -

-
-

M a n a g i n g S E L i n u x port l a b e l i n g

lLJ
ir R l Refe re n ces
semanage(8), semanage - po r t (8), * _selinux(8), a n d sys t em - config ­
selinux(8) m a n pages
-

RH254- R H E L 7-en-1 -20140711 1 09

-

-
 -

C h a pter 4. N etwork Port Secu rity

-

P ra ct i ce : M a n a g i n g S E L i n u x Po rt L a b e l i n g

G u i d e d exe rc i se
-

r•"•
I n t h i s l a b, you w i l l confi g u re yo u r se rve rX system to a l low h t t p access on a nonsta n d a rd port.

Machines:�
-

Outcomes: -

A web server r u n n i n g o n se rve rX s u ccessf u l l y serv i n g content o n a n o n sta n d a rd port.

Before you begin . . . -

• Reset yo u r deskt opX syste m .

• Reset yo u r se rverx system.

• Log i nto and set u p yo u r se rve rX system.

l
-
[ s t u d e n t@ s e r v e r x - ] $ l a b selinuxpo r t setup
i

Yo u r o rg a n ization is d e p l oy i n g a new c u stom web a p p l icat i o n . U nfort u n at e l y for yo u , t h e web

a p p l ication i s r u n n i n g o n a n o nsta n d a rd port; in this ca se, 82/TCP.

One of your d eve l opers has a l ready confi g u red the a p p l i c a t i o n o n yo u r se rve rx. But. n ot -

b e i n g a rock star system a d m i n i strator, h e fa i l ed i n g ett i n g t h e w e b server to start s u ccessf u l l y.

Yo u r m i s s i o n , if you c h oose to accept it, is to g et t h e h t t pd . se rvice service on se rve rx
s u ccessf u l l y started, and serving o u t content to yo u r d e s k t o pX system ove r port 8 2/TCP. -

D 1. Sta rt by rest a rti n g the h t t pd . se rvice.

-
D 1 .1 .
[ s t u d e n t@se rve r x - ] $ sudo systemc t l r e s t a r t h t t pd . se rvice
Job for h t t p d . s e r vice failed . See ' sy s t e m c t l s t a t u s h t t pd . se rvice ' a n d
' j o u r nalc t l - xn ' f o r d e t ails
-

D 1 .2. View t h e o u t p u t from sys t emc t l s t a t u s -1 h t t pd . se rvice.

--��-- - --- - ---�- - � ...

[ s t u d e n t@se rve rx - ] $ sudo systemctl s t a t u s -1 h t t pd . se rvice

P e r m i s s i o n d e n ied : AH000 7 2 : make_s o c k : c o u l d not b i n d to add re s s -

0 . 0 . 0 . 0 : 82
�

-- �--��-�-��=- ---- - - - ---- - -- - -- - ;

-

D 1 . 3. C h e c k if S E L i n u x is b l o c k i n g h t t pd from b i n d i n g to port 82/TCP.

[ s t u d e n t @ s e r v e r X - ] $ sudo seale r t -a /var/log/audi t /audit . log -

��- ---- - --- --- - - -

� ---- - � - ----- ---� �o · --�

D 2. Confi g u re S E L i n u x to a l l ow h t t pd t o b i n d to port 82/TCP, t h e n restart t h e

-
h t t pd . se rvice service.

D 2.1 . U se semanage to f i n d a n a p p ro p riate port t y p e for p o r t 82/TCP.

-

110 R H 254- R H E L 7-en-1 -20140711 -

-
-

G u i d e d exercise

I
-

[ s t u d e n t@se r v e r X - ] $ sudo semanage port - 1 ( g rep h t t p

..

h t t p_po r t_t s e e m s p ro m i s i n g , s i nce it i s w h a t the n o r m a l h t t p port (80/TCP)

i s a l so assi g n e d to.
-

D 2.2. Ass i g n port 82/TCP the h t t p_po rt_t type.

I [ s t u d e n t@se r v e r X - ] $ sudo semanage port - a - t h t t p_port_t - p t c p 82

�
.- D 2.3. Restart t h e h t t pd . s e rvice servi ce.

I [ s t u d e n t@ s e r v e r X - ] $ sudo systemc t l restart h t t p d . se rvice

.... !....._����-��--��-�-�

D 3. Check i f you c a n now access t h e web server r u n n i n g o n port 82/TCP.

D 3.1 .
1.·
[ s t u d e n t @ s e r v e r x - ] $ c u r l h t t p : // s e r v e rx . e x am p l e . co m : s z
Hello
____-____-_________________�-_________________
____
___ _Jll
-

D 4. Check if you c a n access the n ew web service from y o u r d e s k t o pX system.

- D 4.1 .
[ s t u d e n t @d e s k t o pX - ] $ c u r l h t t p : //se rve rX . example . com : s z
c u r l : ( 7 ) Failed t o c o n n e c t to s e r v e rX . e x ample . c om : 82 ; No r o u t e to h o s t

-
That e r r o r m e a n s you st i l l ca n ' t conn ect from d e s k t opX. Ta ke a m i n ute to t h i n k
u p s o m e p roba b l e c a u ses f o r t h i s fa i l u re.

-
D 5. O n your se rverx syst e m , open u p port 82/TCP o n your fi rewa l l .

D 5.1 . O p e n port 82/TCP i n t h e p e r m a nent confi g u ra t i o n f o r t h e defa u lt z o n e on t h e

fi rewa l l o n se rve rx.

I
-

[ s t u d e n t@ s e r v e r X - ] $ sudo firewall - cmd - - permanent - - add - port=82 / t c p

-

D 5.2. Activate yo u r f i rewa l l c h a nges on se rve rX.

-

[ s t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - reload

I
-
D 6. C h e c k if you c a n now access the new web service from you r d e s k t opX syste m .

D 6.1 . [ s t u d e n t @d e s k t o pX - ] $ c u rl h t t p : //se rverX . example . com : 82

-
Hello

-
D 7. O n yo u r d e s k t opX syst e m , r u n t h e c o m m a n d lab selinuxpo r t g rade to ve rify y o u r
work.

-
R H 254- R H E L 7-en-1 -201 40711 111

-
 -

C h a pter 4. N etwork Port S e c u rity

-

D 7.1 .
[ s t u d e n t@d e s ktopX - ] $ lab selinuxport g r ade
Te s t i n g h t t p acc e s s over p o r t 8 2 . . . PASS

-·

112 R H 254- R H E L7 - e n -1 -20140711 -

-
-

L a b : N etwo r k Po rt S e c u rity
-

L a b : N etwo r k Po rt S e c u rity
..

-
Pe rfo r m a n ce c h e c k l i st
I n t h i s l a b, you w i l l c o n fi g u re a c u stom fi rewa l l z o n e, service, a n d a c u stom S E L i n u x port type.

�#+MW
Machines�
-

Outcomes:
A n S S H D service l i ste n i n g on both t h e reg u l a r p o rt 2 2 /TCP, as we l l a s t h e new n o nsta n d a rd port
- 999/TCP, p rotected t h ro u g h a c u stom fi rewa l l zone and a c u stom fi rewa l l servi ce.

Before you begin . . .

• Reset y o u r d e s k t opX system.

• Reset y o u r se rve rX sy� e m .

-
• Log i nto a n d set u p yo u r s e rverx syst e m .

... I [ s t u d e n t@se r v e r x - ] $ lab c u s t o m - sshd s e t u p

i

S i nce some of yo u r co-workers sometimes have to u s e y o u r se rve rX m a c h i n e from a n etwo rk

-
that b l ocks outg o i n g a ccess to port 2 2/TCP, you have decided to bind y o u r sshd daemon to the
nonsta n d a rd port 9 9 9/TCP. T h e s s h d d a e m o n s h o u l d a l so sti l l be ava i l a b l e over the sta n dard
port 2 2/TCP. T h e lab c u s tom - ss h d s e t u p s c r i pt h a s a l ready confi g u red t h e s s h d daemon
-
to l i sten o n these ports, but h a s not yet perfo r m e d a ny a d d i t i o n a l confi g u ra t i o n t h a t m i g h t b e
necessa ry.

-
After e n s u r i n g s s h d l i stens on t h ese ports, you w i l l n e e d to u pdate t h e fi rewa l l o n se rve rX a s
we l l . U s e t h e fo l l ow i n g c riteria w h e n confi g u r i n g t h e fi rewa l l :

- • A l l c o n n e c t i o n s from t h e 172 . 25 . X . 0/24 n etwork s h o u l d b e routed t h ro u g h t h e wo r k zone.

• In a d d it i o n to the reg u l a r s s h port, port 9 9 9 /TCP s h o u l d a l so be ava i l a b l e i n the wo r k z o n e .

...
After you h a ve c o m p l eted yo u r work, you c a n r u n t h e co m m a n d lab c u s t om - s s h d g rade o n
yo u r d e s k t opX m a c h i n e to verify your w o r k .
-
1. Ve rify t h a t s s h d i s i ndeed l iste n i n g o n b o t h port 2 2 /TCP a n d p o r t 999/TCP. I f n ot,
i nvest i g ate and fix.
-
2. Route a l l t raffic f r o m t h e 172 . 2 5 . X . 0/24 s u bnet t h ro u g h t h e wo r k zone.

3. Open p o rt 9 99/TCP i n t h e wo r k zone.

-

4. Fro m d e s k t o pX, verify yo u r config u ra t i o n by r u n n i n g lab c u s t om - s shd g r ade.

- R H254-R H E L 7-e n -1 -201 40711 113

 -

C h a pter 4. N etwork Port S e c u rity

-

Solution
-

I n t h i s l a b, you w i l l confi g u re a c u stom fi rewa l l zone, service, a n d a c u stom S E L i n u x port type.

-

O utcomes:
A n S S H D service l i ste n i n g o n both the reg u l a r port 22/TCP, a s we l l a s the new n o n sta n d a rd p o rt
-
999/TCP, p rotected t h ro u g h a c u stom fi rewa l l zone a n d a c u stom f i rewa l l service.

Before you begin ...

-
• Reset yo u r deskt opX system.

• Reset yo u r se rve rX syste m .

-

• Log i nto a n d s e t u p yo u r se rverX system.

- �-- ---- -�--

I
ii [ s t u d e n t @ s e r v e r X - ] $ lab c u s t o m - sshd setup i
i
·� · ===-- �- · - - - ������ - -- - · - · _.,,J

S i nce some of your co-workers sometimes have to use yo u r se rverx m a c h i n e from a network -

that b l ocks outgoing a ccess to port 22 /TCP, you have decided to bind yo u r sshd d a e m o n to t h e
n o n sta n d a rd p o r t 999/TCP. T h e s s h d d a e m o n s h o u l d a l so sti l l b e ava i l a b l e over t h e sta n d a rd
port 22/TCP. The lab c u s t om - s s h d s e t u p script has a l re a d y confi g u re d t h e s s h d d a e m o n -

to l i sten o n t h e s e ports, but h a s n ot y e t p e rfo r m e d a ny a d d i t i o n a l confi g u ration that m i g ht b e

n e cessa ry.
-

Afte r e n s u r i n g sshd l iste n s on t h ese p o rts, you w i l l need to u pd ate t h e fi rewa l l on s e rverx as
we l l . Use t h e fo l l ow i n g criteria w h e n confi g u r i n g t h e fi rewa l l :
-

• A l l co n n ections from t h e 172 . 2 5 X 0/24 network s h o u l d b e routed t h ro u g h t h e wo r k zone.

. .

• In a d d i t i o n to t h e reg u l a r s s h port, port 999/TCP shou l d also b e ava i l a b l e i n t h e wo r k zone. -

After yo u have com p l eted yo u r work, you ca n run t h e com m a n d lab c u s t om - sshd g r ade on
yo u r d e s k t opX m a c h i n e to verify yo u r work.
.. ..

1. Ve rify t h a t sshd is indeed l i ste n i n g o n both port 22/TCP a nd port 999/TCP. I f not.
i nvest igate a n d fix. -

1 .1 . U s e s s t o f i n d a l l t h e ports w h e re s s h d is l iste n i n g .

-
[ s t u d e n t@se rve rx - ] $ sudo ss - t ulpn I g r e p sshd
tcp LISTEN 0 128 * : 22
u s e r s : ( ( " s s h d " , 4864 , 3 ) )
tcp L I STEN 0 128 : : : 22 -

u s e r s : ( ( " s s h d " , 4864 , 4 ) )

_ ___ j

-
1 .2. T h e previous o u t p u t i n d icates t h a t s s h d is o n l y b o u n d to port 22/TCP. Resta rt t h e
s s h d . se rvice service a n d c h e c k t h e sta t u s o u t p u t .

114 R H 254- R H E L 7-en-1 -20140711 -

-
-

Solution

�-

[ s t u d e n t @ s e r v e r X - ] $ sudo systemctl rest a r t sshd . se rvice

[ s t u d e n t @ s e r v e r x - ] $ sudo systemc t l s t a t u s -1 sshd . se rvice
..

May 12 12 : 41 : 37 s e r v e rX . example . com s s h d [ 2 3 0 36 ] : e r r o r : B i n d t o p o r t 9 9 9 o n

0 . 0 . 0 . 0 failed : P e r m i s s io n d e n i e d .
-

D e p e n d i n g on t h e speed a n d confi g u ration of yo u r system t h e p revi o u s com m a n d

m i g ht a l so i n c l u d e s o m e seale r t o u t p ut. I f a n S E L i n u x w a s c a u sed b y a s e rvice t h i s
i nfo rmation typica l l y s h ows u p w i t h some d e l a y i n t h e o u t p u t of sys t emc t l s t a t u s ,
b u t a l a c k o f seale r t o u t p u t i s n ot a g u a ra ntee t h a t t h i s i s n ot a n S E L i n u x i s s u e.
-

1 .3. That Permission d e n ied w h i l e b i n d i n g to port 9 99/TCP is m ost l i ke l y a n S E L i n u x

d e n i a l . U s e seale r t to f i n d a n y S E L i n u x messages re lated t o t h is.
-

[ s t u d e n t @ s e r v e r x - ] $ sudo seale r t -a /var/log/audit/audit . log

S E L i n u x i s p r eve n t i n g / u s r / s b i n / s s h d f r om n ame_bi n d a c c e s s on t h e t c p soc k e t .

- 1 .4. Use t h e a d vice from seale r t to a l l o w sshd to b i n d to port 999/TCP.

[ s t u d e n t@s e r v e rX - ] $ sudo semanage port -a - t ssh_po r t_t -p tcp 999

....

1 . 5. Restart s s h d . se rvice a n d verify if it i s now b o u n d to port 999/TCP a s we l l .

-
[ s t u d e n t@se r v e rX - ] $ sudo systemctl res t a r t sshd . se rvice
[ s t u d e n t@s e rve rX - ] $ sudo ss - t ulpn I grep s s hd

-
tcp L I STEN 0 128 * : 9 99 *.*
u s e r s : ( ( " s s h d " , 4864 , 3 } }

2. Route a l l t raffic from t h e 1 7 2 . 25 . X . 0/24 s u bnet t h ro u g h t h e wo r k z o n e .

- 2 .1 . Perma n e n t l y ro ute a l l t raffic from t h e 172 . 25 . x . 0/24 s u b n et t h ro u g h t h e wo r k z o n e.

[ s t u d e n t@s e r v e r x - ] $ sudo firewall - cmd - - permanent - - zone=wo rk - - add -

.,.. sou rce=172 . 25 . X . 0/24

3. Open port 999/TCP i n t h e wo r k zone.

-

I
3.1 . A d d t h e po rt.

-
[ s t u d e n t @ s e r v e r X - ] $ sudo firewall - cmd - - permanent - - zone=wo r k - - add - port=999/
i tcp
!
-

3.2. R e l o a d t h e fi rewa l l o n s e rverX to activate yo u r c h a n ges.

- [ s t u d e n t @ s e r ve rx - ] $ sudo firewall - cmd - - reload

R H 2 5 4- R H E L 7-en-1 -201 40711 115

.-
 -

C h a pter 4. N etwo r k Port S e c u rity

4. Fro m d e s k t opX, verify y o u r confi g u ra t i o n by r u n n i n g lab c u s t om - s s h d g rade.

4.1 .
[ s t u d en t @d e s k t o pX - ] $ lab custom - sshd g rade

ove r all r e s u l t : PASS

-·

-.

116 R H 25 4- R H E L 7 - e n -1 -20140711
-

Solution

S u m m a ry
-
M a n a g i n g F i rewa l l d
I n t h i s sect i o n , stude nts reviewed fi rewa l l d con cepts a n d m a n a g e m e n t c o m m a n d s
- covered i n p revious cou rses.

M a n a g i n g R i c h R u l es
-
I n t h i s s e ct i o n , stu d e nts l e a r n e d h o w to confi g u re more com p l ex firewa l l config u ra t i o n s
u s i n g fi rewa l l d ' s s u p port for " r i c h l a n g u a g e r u l es."

-
M a s q u e ra d i n g a n d Port Fo rward i n g
I n t h i s s e ct i o n , stude nts l e a rned h o w to d e s c r i b e a n d i m p l e m e n t N etwo r k A d d ress
Tra n s l a t i o n ( N AT).
-
M a n a g i n g S E L i n u x Port L a be l i n g
I n t h i s sect i o n , students l e a r n e d h o w t o e n s u re network p o rts h a ve t h e correct S E L i n u x
t y p e so t h a t se rvices a re a b l e to b i n d to t h e m .

RH254- R H E L 7-en-1-20140711 117

-

....
 -

118
 red h at ®

®
TRAINING

C H A PT E R 5

MANAGING DNS FOR SERVERS

Overview

Goal To set a n d verify co rrect D N S records for syst e m s a nd

c o n f i g u re s e c u re c a c h i n g D N S n a m e service.

Objectives • E x p l a i n h ow D N S i s u s e d t o resolve n a mes a n d a d d resses

and the p u rpose of key D N S resou rce records.

• C o n f i g u re unbound to a c t a s a s e c u re l o c a l c a c h i n g
n a mese rver.

• Desc ribe c o m m o n D N S c o nfig u ra t i o n p ro b l e m s a n d how to

identi fy a n d resolve t h e m .

Sections • DNS C o n c epts (and P ra c t i ce)

• Config u r i n g a C a c h i n g N a meserver (and Practice)

• DNS Tro u b l eshoot i n g (and Pract ice)

Lab • M a n a g i n g D N S for S e rvers

R H254- R H E L7-en-1 -2014 0711 119

 -

C h a pter 5. M a n a g i ng D N S for Se rvers

-

D N S Co n c e pt s
-

O bject ives -
Afte r co m p leti n g t h i s sect i o n , stu d ents s h o u l d b e a b l e to:

• E x p l a i n the h i e ra rc h i c a l st r u c t u re of the D o m a i n N a m e System ( D N S).

-

• Differe ntiate betwee n d o m a i ns, s u b d o m a i ns, and zones.

• I d e nt i fy the d i fferences between d i fferent reso u rce record types. -

T h e Do m a i n N a m e Syste m -
T h e Domain Name System (DNS) i s a h i e ra rc h i c a l n a m i n g system that se rves a s a d i rectory of
n etworked hosts a n d resou rces. I nfo rmation in t h e d i rectory m a ps network n a mes to data a n d is
m a i nta i n e d in l o g ica l e n t ries known as resou rce records. The D N S h i e ra rchy b e g i n s w i t h t h e root -
d o m a i n 1 1 • 1 1 at t h e t o p a n d branches dow nwa rd to m u l t i p l e next-level d o m a i n s.
"
E a c h level of t h e D N S h i e ra rchy is d e l i neated by t h e 1 1 • 1 1 i n d o m a i n n a m es, w i t h 1 1 . a s t h e top
-
leve l . Domains s u c h a s com, n e t , and o r g occupy t h e second l evel of t h e h i e ra rchy and d o m a i n s
s u c h as example . c o m a n d redhat . c o m occ u py t h e t h i rd l evel a n d so o n .
-
W h e n wo r k i n g with D N S, it i s i m portant to c l a rify some o f t h e c o m m o n terms used to refer t o t h e
st r u c t u re o f t h e D N S h i e ra rc hy, s u c h a s domain, s u bdomain, a n d zone.

Domain -

A domain is a col l e c t i o n of resou rce records t h a t e n d s i n a c o m m o n n a m e a n d represents a n

e n t i re s u bt ree of t h e D N S n a m e space, s u c h a s example . com. The l a rgest poss i b l e d o m a i n is t h e
root d o m a i n , 1 1 • 1 1 , w h i c h i n c l u d es t h e w h o l e D N S n a m espace. -

A top-level domain (TLD) i s a d o m a i n t h a t has o n l y one c o m p o n e nt. Generic TLDs (gTLDs) were
ori g i n a l l y o rg a n i zed by t h e m e, a n d i n c l u d e . com, . e d u , . n e t , etc. Country code TLDs (ccTLDs) -

a re o rg a n i zed o n a n a t i o n a l basis, a n d i n c l u d e . u s , . u k, . e n , . r u , etc.

Subdomain -

A s u bdomain is a d o m a i n t h a t is a s u bt ree of a n ot h e r domain. This term is used when d i scuss i n g

t h e re latio n s h i p of t w o d o m a i n s to each other. Fo r exa m p l e , lab . example . com i s a s u bd o m a i n
of example . com. -

Zone
A zone is t h e portion of a d o m a i n for w h i c h a p a r t i c u l a r n a mese rver is d i re c t l y res p o n s i b l e, -

or a uth oritative. T h i s m a y be a n e n t i re d o m a i n , o r j u st part of a d o m a i n with some o r a l l of its

s u bd o m a i n s d e l egated to o ther n a m eserve r(s).
-

A n atomy of D N S l ooku ps
W h e n a syste m n e e d s to p e rfo rm n a m e reso l ut i o n u s i n g a D N S server, it beg i n s by s e n d i n g
-
q u e ri es to t h e se rvers l i sted i n / e t c / r esolv . c o n f i n order, u n t i l it g e t s a res ponse o r r u n s o u t
of se rve rs. The host o r dig com m a n d s can b e u s e d to m a n u a l l y look u p D N S n a m es.

Local a u t h o ritat ive data -

When t h e query a rrives at a DNS server, t h e server fi rst d ete r m i n es whet h e r the i nfo r m a t i o n
b e i n g q u e ried res ides i n a zone t h a t it is a u t h o ritative for. I f t h e server is a n a ut h o rity for the
-

120 R H 25 4- R H E L 7 - e n -1 -20140711 -

-
 D N S reso u rce records

zone t h at the n a m e o r a d d ress being q u eried b e l o n g s to, then the s e rver res p o n d s to the c l ie n t
with t h e i nf o r m a t i o n contained i n its l oca l z o n e f i l e. T h i s t y p e of res p o n se i s referred to as a n
authoritative answer (aa), s i n ce t h e server p rovi d i ng t h e response i s a u th o ritative for the data
p rovi d e d . A u t horitative a n swers from a n a meserver have t h e aa f l a g t u r n e d o n i n t h e header of
the DNS response.

Local c a c h e d n o n - a u t h o ritative data

I f t h e DNS s e rver i s not a n a u t h o rity for the record i n q u est i o n , but has recen t l y obtai ned the
reco rd to a n swer a p rev i o u s q u e ry, it m a y sti l l have a copy of the record i n its c a c h e. The cache
is w he re a n swers to q u e ries are stored for a s pe c ified ti me, dete r m i n e d by a value conta i n ed in
every reso u rce rec o rd response c a l l ed t h e Time To Live (TTL). If a n a n swer exists i n the server's
cache, it i s p rovided to t h e c l ient. This a n swer w i l l not h a ve t h e aa flag set, s i n ce the server i s not
a u t h o ritative for t h e d ata b e i n g provided.

Remote n o n - a u t h o ritative data via rec u r s i o n

I f t h e DNS s erver i s not a ut h o ritative for t h e n a m e b e i n g q ueried, a n d it does not possess t h e
record i n its c a c h e, it w i l l t h e n atte m pt to ret r i eve t h e record via a n iterative p rocess k n own as
rec u rs i o n . A D N S server with a n e m pty c a c h e begins t h e rec u rsion p rocess by q ue r y i n g one of
the root n a m eservers by I P a d d ress retrieved from its l oc a l , p re-po p u l a ted root hints file. The root
n a m eserver w i l l t h e n l i ke l y res p o n d with a referra l , w h i c h i n d i cates t h e n a m es e rvers that are
a ut h o ritative for t h e T L D t h a t contains the n a m e bei n g q u e ried.

Upon recei v i n g t h e refe rra l , the DNS server w i l l t h e n p e rform a nother iterative q u ery to the
TLD a u t horitative n a meserver it was refe rred to. Depe n d i n g o n whether t here are f u rther
rem a i n i n g delegations i n t h e name b e i n g q ue r i e d , t h i s a u t horitative n a m eserver will either send
a n a u t h o ritative a n swer o r yet a nother refe rra l . T h i s continues until an a u t h o ritative server i s
reac h e d a n d res p o n d s w i t h a n a u t horitative a n swer.

The f i n a l a n swer, a l o n g with a l l t h e i ntermediate a n swers obtai ned p r i o r to it, a re c a c h e d by t h e

D N S server to i m p rove p e rfo r m a n ce. I f d u ri n g a lookup for www . example . c o m t h e D N S server
finds out that the example . com zone h a s a u t h o ritative n a m ese rvers, it w i l l q u e ry t h ose serve rs
d i re c t l y for a ny f u t u re q ueries for information in t h e example . com z o n e, rat h e r t h a n sta rting
rec u rs i o n again at t h e root n a m ese rvers.

D N S res o u rce records

D N S resource records (RRs) are entries i n a D N S zone t h a t specify i nformation a bo u t a p a rt i c u l a r
n a m e o r o bject i n t h e zone. A resou rce reco rd c o nta i n s a t ype, a TTL, a class, a n d data
e l e m ents organized i n t h e fo l l owing format:

owner- name TTL class type da ta

www . example . c o m . 300 IN A 192 . 16 8 . 1 . 10

Resource Record Fields

Field n a m e Content
owne r - name The n a m e for t h i s res o u rce record.

TTL The Time To Live of the res o u rce record in seconds. T h i s spec ifies how
l ong t h i s resou rce rec o rd s h o u l d be cached by DNS resolvers.
class The " c lass" of the record, a l m ost a l ways I N ( " I nternet").

RH254- R H E L 7-en-1 -20140711 121

 -

C h a pter 5. M a na g i n g D N S for Se rvers

-

Field name Content

type T h e type i n d i cates t h e sort of i nfor m a t i o n stored by t h i s record . For -

exa m p l e , a n A record m a ps a host n a m e to a n 1 Pv4 a d d ress.

data The data stored by this record. The exact fo r m a t va ries by record type.
-

T h e re a re a n u m ber of i m portant reso u rce record types:

A ( 1 Pv4 a d d ress) records -

A n A res o u rce record m a ps a host n a m e to an 1 Pv4 a d d ress.

-
[ s t u d e n t@se r v e r x ] $ host - v -t A example . com
-

T r y i n g " example . c om "

- >> H EADER<< - opcode : QUERY, s t a t u s : NOERROR , id : 2 2 6 8 1
flag s : q r aa r d r a ; QUERY : 1 , ANSWER : 1 , AUTHORITY : 1 , ADDITI ONAL : 2 -

QUESTION SECTION :
; example . com . IN A

j
-

; ; ANSWER SECTION :
example . com . 86400 I N A 172 . 25 . 254 . 254

-
Recieved 9 6 bytes f r om 1 7 2 . 25 . 254 . 254#53 in 1 ms
· ��- ·-.-. ·- -- ______

AAAA ( 1 Pv6 a d d ress) records -

A n AAAA resou rce record ( " q u ad-A" record) m a p s a h ost n a m e to a n 1 Pv 6 a d d ress.

\�� ·-�--- - --- ----- - - �- ---�---

�- - -�-- - - - - - -----�----- -- - - -

[ s t u d e n t@serve rx - ] $ host -v - t AAAA a . root - servers . net

Trying " a . r o o t - serve r s . ne t "
- > > H EADER<< - opcode : QUERY , s t a t u s : NOERROR , id : 18194
flag s : qr r d ra; QUERY : 1 , ANSWE R : 1 , AUTHORITY : 13, ADDITIONAL : 12
-

QUESTION SECTI O N :
; a . root - servers . net . I N AAAA
-
; ; ANSWER SECTION :
a . r o o t - s e r ve r s . ne t . 604800 I N AAAA 2001 : 503 : ba3e : : 2 : 30

Received 64 bytes f r om 172 . 25 . 254 . 254#53 in 78 ms -

_ _J

C N A M E (ca n o n i c a l n a m e) record s
-
A CNAME resou rce record a l i a ses o n e n a m e to a n other n a m e (t h e canonical name), w h i c h s h o u l d
h a ve A o r AAAA records.

-
W h e n a D N S res o l ve r receives a CNAME record in res ponse to a q u e ry, i t w i l l reissue the q u e ry
u s i n g t h e c a n o n i c a l n a m e i n stead of t h e orig i n a l n a m e.

T h e data f i e l d of CNAME records ca n p o i n t to a n a m e a ny w h e re i n D N S, w h e t h e r i n te r n a l o r -

exte r n a l to t h e zone:

-
www - dev . example . com . I N CNAME lab . example . com .
www . example . com . I N CNAME www . re d hat . com .
I
-- -- -- - - - -- - - ---
· -
· ·· - · - - - -- - - - ��---� J

-
CNAME records a re u sefu l , b u t s h o u l d b e u sed w i t h some ca re. I n g e n e ra l , p o i n t i n g a CNAME
records to other CNAME records s h o u l d b e avo i d e d fo r effic i e n cy and f ra g i l ity rea sons a n d to
avo i d creat i n g a CNAME l o o p by accident. The c h a i n of CNAME record m u st e n d in A a n d /o r AAAA
-

122 R H 254- R H E L 7-en-1 -20140711 -

-
-

D N S resou rce records

-

reco rd s. N ote t h a t t h e re a re l e g i t i m a t e uses for CNAME c h a i n s w h e n u s i n g Content D e l ivery

N etworks ( C D N s) to i m p rove the speed and re l i a b i l ity of data d e l i ve r y over t h e I nternet. Li kewise,
-
NS and MX records m u st n ot b e poi nted at CNAME reco rds b u t at n a mes w i t h A a n d /o r AAAA
records.
-
[ s t u d e n t@serve rx - ] $ host - v -t A ipa - ca . se rver0 . example . com
T r y i n g " ip a - c a . s e rv e r 0 . example . com "
- >> H EADER<< - o p c o d e : Q U E RY , s t a t u s : NOERROR , id : 11931
- ; ; flag s : q r aa r d r a ; QUERY : 1 , ANSWE R : 2 , AUT H O R I TY : 1 , ADDITI ONAL : 2

; ; QUESTION SECT I ON :
; ip a - c a . s e r ve r 0 . example . com . I N A
-

; ; ANSWER SECT I O N :
i pa - ca . s e r ve r 0 . example . com . 86400 I N CNAME s e rve r 0 . example . c om .
- s e r ve r 0 . example . c om . 86400 I N A 172 . 2 5 . 0 . 11

Recieved 125 b y t e s f r om 1 7 2 . 2 5 . 2 54 . 2 54#53 in 1 ms

PTR ( p o i nter) records

A PTR record m a ps 1 Pv4 o r 1 Pv 6 a d d resses to a host n a me. T h ey are used for reverse DNS
- resolution.

PTR records code t h e I P a d d ress i n a speci a l format t h a t acts l i ke a host n a me. For 1 Pv4
- a d d resses, the a d d ress i s reve rsed , m ost specific part fi rst. a n d the res u l t i s t reated a s a host
in a s u bd o m a i n of the speci a l d o m a i n i n -a d d r. a r p a . Fo r 1 Pv 6 a d d resses, the a d d ress i s s p l i t i nto
s u b d o m a i n s on n i b b l e b o u n d a ries (every hexadeci m a l d i g it) and set u p a s a s u b d o m a i n of t h e
- spec i a l d o m a i n i p6.arpa, as s e e n i n t h e fo l l owi n g exa m p l e. W h i l e t h i s syntax may s e e m stra n ge,
it m a kes it s i m p l e r for DNS a d m i n i st rators to d e l egate res p o n s i b i l ity for ra nges of a d d resses to
other D N S a d m i n i st rators.
-

[ s t u d e n t @ s e r v e r X - ] $ host - v -t PTR 172 . 25 . 0 . 10

T ry i n g " 10 . 0 . 2 5 . 17 2 . i n - ad d r . a r p a "
- - >>HEADER<< - opcod e : QUERY, s t a t u s : NOERROR , id : 3 6 3 8 9
flag s : q r aa r d r a ; QUERY : 1 , ANSWE R : 1 , AUTHORITY : 1 , ADDITIONAL : 2

QUESTION SECT I ON :
-
; 10 . 0 . 25 . 172 . in - add r . a r p a . I N PTR

; ; ANSWER SECT I ON :
10 . 0 . 2 5 . 17 2 . in - ad d r . a r pa . 86400 I N PTR d e s k t o p0 . e x ample . com .
-

Received 127 b y t e s f r om 1 7 2 . 25 . 2 54 . 254#53 in 2 ms

[ s t u d e n t@ s e r v e r X - ] $ host - v -t PTR 2001 : 503 : ba3e : : 2 : 30

T r y i n g '' 0 . 3 . 0 . 0 . 2 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . e . 3 . a . b . 3 . 0 . 5 . 0 . 1 . 0 . 0 . 2 . ip6 . a r p a "
- >> H EADER<< - o p c o d e : Q U E RY , s t a t u s : NOERROR , id : 32138
-
; ; flag s : q r aa r d ra; QUERY : 1 , ANSWER : 1 , AUTHORITY : 0, A D D I T I O NAL : 0

; ; QUESTION SECTION :
- ; 0 . 3 . 0 . 0 . 2 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . e . 3 . a . b . 3 . 0 . 5 . 0 . 1 . 0 . 0 . 2 . ip6 . a r p a . I N PTR

; ; ANSWER SECT I ON :
0 . 3 . 0 . 0 . 2 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . e . 3 . a . b . 3 . 0 . 5 . 0 . 1 . 0 . 0 . 2 . i p6 . a r p a . 86400 I N PTR
- a . r o o t - s e rve r s . ne t .

Received 122 b y t e s f r o m 1 7 2 . 2 5 . 254 . 254#53 in 174 ms

-

- R H 254- R H E L 7-en-1 -201 40711 123

....
 -

C h a pter 5. M a n a g i n g D N S for S e rvers

-

NS (name server) records

A n NS record m a ps a d o m a i n name to a DNS n a m e server which i s a u t h oritative for its DNS zone.
-

Every p u b l i c a u t horitative name server for t h e zone m ust have an NS reco rd .

·--�- ---- - - ..�----
-
[ s t u d e n t @ s e r v e r x - ] $ host -v - t NS example . com
T rying " example . c om "
- >>HEADER<< - o p c o d e : QUERY , s t a t u s : NOERRO R , id : 2 9 3 6 2
-
; ; flag s : q r aa r d r a ; QUERY : 1 , ANSWER : 1 , AUTHORITY : 0 , ADDITI ONAL : 2

; ; QUESTI ON SECTION :
; example . com . I N NS
-

; ; ANSWER SECTION :
example . c om . 86400 I N NS clas s r oom . example . com .
-

Received 80 b y t e s f r om 1 7 2 . 25 . 254 . 254#53 in 0 m s

----�--- ------- - · -·-'

-
SOA (st a rt of a u t h o rity) records
A n SOA reco rd p rovi des i nfo r m a t i o n a bout how a D N S zone works.

-
There w i l l be exa c t l y one SOA record for a zone. I t specifies w h i c h of the z o n e ' s n a m e servers is
t h e p r i m a ry o n e (the master), i nfo r m a t i o n on how seco n d a ry (slave) name servers s h o u l d u pd ate
t h e i r copy of the i nfor ma ti o n , and the zone's m a n a g e m e n t contact. Its data f i e l d conta i n s t h e
-
fo l l ow i n g e l e m e nts:

SOA record data elements

-
Data e l e ment C ontent

Mas t e r T h e host n a m e of t h e n a m eserver w h i c h is t h e o ri g i n a l sou rce of

namese rve r d o m a i n i nfo r m a t i o n , a n d w h i c h may accept d y n a m i c D N S u p d ates if
the zone s u p ports t h e m .
RNAME T h e e m a i l a d d ress o f t h e p e rson res ponsi b l e f o r t h e
-
D N S z o n e ( t h e hostmaster). T h e @ i n t h e em a i l a d d ress i s
re p l a ced w i t h a 1 1 • 1 1 i n t h e R N A M E. Fo r exa m p l e, a n e m a i l
a d d ress o f hos t mas t e r@example . com is written a s -
hos tmas t e r . example . com.
Se r ial numbe r The ve rsion n u m ber of the zone, w h i c h is i n c reased w h e n t h e re i s a ny
c h a nge to zone records. -

Ref resh H ow freq u e n t l y t h e s l ave se rvers s h o u l d check for zone u p d ates, in

seconds. -

Re t ry H ow l o n g a s l ave server s h o u l d wait before ret r y i n g a fa i l e d refres h

attempt. i n seconds.
-
Expiry I f refreshes have been fa i l i n g , how long a s l ave server s h o u l d wait
before it stops using its old copy of the zone to res p o n d to q u e ries, in
seconds.
-

Minimum If a resolver looks u p a n a m e and it d oes not exist (gets a nonexistent

domain (NXDOMAIN) res p o n se), how l o n g it s h o u l d cache t h e
i nformation t h a t t h e record d o e s not exist, i n seco n d s. -

124 R H254- R H E L 7 - e n -1 -20140711 -

-
-

D N S resou rce records

-

[ s t u d e n t@s e r v e r X - ] $ host v -t SOA example . com

-

- Trying " e xample . c om "

- >> H EADER<< - o p c o d e : QUERY , s t at u s : NOERROR, id : 58434
flag s : qr aa r d r a ; QUERY : 1, ANSWE R : 1 , AUTHORITY : 0, ADDITIONAL : 0

- QUEST I O N SECT I O N :
; example . com . I N SOA

; ; ANSWER SECT I O N :
-
example . c om . 86400 I N SOA class room . example . com . r o o t . clas s r oom . e x ample . com . 2013091600
3600 300 604800 60

- Received 121 bytes f rom 1 7 2 . 25 . 254 . 254#53 i n 0 m s

M X ( m a i l exc h a n g e) records
-
A n MX reco rd maps a d o m a i n n a m e to a mail exchange w h i c h w i l l accept e m a i l for that n a me.

The data for this record type is a p refere n c e n u m be r ( l owest p refer re d ) used to dete r m i n e t h e
-
o r d e r i n w h i c h to p i c k betwe e n m u l t i p l e M X records, a n d a h o s t n a m e f o r a m a i l exc h a n g e f o r t h a t
n a m e.
-

[ s t u d e n t@ s e r v e r X - ] $ host - v - t MX example . com

T r yi n g " example . c om "
- >> H EADER<< - o p c o d e : QUERY , s t a t u s : NOERROR, id : 47187
flag s : qr aa r d ra; QUERY : 1, ANSWER : 1, AUTHORITY : 1 , ADD I T I ONAL : 2

QUESTION SECTION :
- ; example . c om . I N MX

; ; ANSWER SECT I O N :
example . com . 86400 I N MX 10 c l a s s room . example . com .
-

Received 96 b y t e s f r om 172 . 25 . 254 . 254#53 in 0 ms

-
TXT (text) record s
A TXT record is u s e d to m a p a n a m e to a r b itrary h u m a n - rea d a b l e text.
-
TXT records a re c o m m o n l y used to s u p p l y data used by Sender Policy Framework (SPF),
DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and
Conformance (DMARC), a n d so o n .
-

[ s t u d e n t@ s e r v e r x - ] $ host - v - t TXT lwn . ne t

- T r y i n g " lwn . ne t "
- >> H EADER<< - o p c o d e : QUERY, s t a t u s : NOERROR , id : 41137
flag s : qr r d r a ; QU ERY : 1 , ANSWER : 2, AUTHORITY : 0 , ADDITIONAL : 0

- QUEST I O N SECTION :
; lwn . n e t . I N TXT

; ; ANSWER SECT I O N :
lwn . n e t . 28619 I N TXT " v= s pf1 ip4 : 7 2 . 5 1 . 34 . 34 ip4 : 7 0 . 33 . 254 . 29 - all "

Received 638 b y t e s f r om 192 . 168 . 2 . 11#53 in 74 m s

-

S RV (service) records

-
A n SRV record i s u s e d to locate t h e h osts which s u pport a particu l a r service for a d o m a i n .

-
RH254- R H E L 7 - e n -1-20140711 125

...
 -

C h a pter 5. M a n a g i ng D N S for Se rvers

-
U s i n g a d o m a i n n a m e formatted to i n c l u d e a service and a protocol n a m e,
_service._protocol.domainname, SRV records p rov i d e t h e n a m e s of t h e hosts that p rov i d e t h a t
service for t h e d o m a i n , as we l l a s t h e port n u m be r t h a t t h e s e r v i c e l isten s o n . SRV records a l so -
i n c l u d e p r iority a n d weight va l u es to i n d icate t h e ord e r i n w h i c h hosts s h o u l d be used w h e n
m u l t i p l e hosts a re ava i l a b l e fo r a parti c u l a r servi ce.
-
T h i s exa m p l e SRV record i n d i cates t h a t the s e rver0 . example . com d o m a i n p rovides t h e
L DAP service u s i n g TCP o n port 389 o n h ost serve r 0 . example . c o m w i t h a priority of 0 a n d a
-
w e i g hti n g of 100.
.. -
r:--.-
1
- v - t SRV lda p t c p s e rv e r e e x amp le c om
[ s t u d e n t @ s e r v e r X - ] $ host - _ . _ . . .
-
I
I
T r y i n g "_ldap . _t c p . s e r ve r 0 . example . co m "
I - > > H EADER<< - opcode : QUERY , s t a t u s : NOERROR, id : 3 5 6 6 5

I,I!'
flag s : q r aa rd r a ; QUERY : 1 , ANSWER : 1 , AUTHORITY : 1 , ADDITIONA L : 3
-
QUESTION SECTI O N :
; _ldap . _t c p . s e r ve r 0 . example . com . I N S RV

I
; ; ANSWER SECTION :

'.1
_ldap . _t c p . s e r ve r 0 . example . com . 86400 I N SRV 0 100 389 s e rv e r 0 . example . com .

�����-���-�
Received 154 bytes f r om 1 7 2 . 2 5 . 254 . 254#53 i n 0 ms -

H osts a n d resou rce record s

A typica l host, whether a c l i e nt o r a server, w i l l have t h e fo l l o w i n g reco rds:

• One o r m o re A and/o r AAAA records m a p p i n g its h ost name to its IP a d d resses -

• A PTR record for each of its IP a d d resses, reverse m a p p i n g t h e m to its host n a m e

-
• Optio n a l l y, o n e or more CNAME record s m a p p i n g a lternate n a mes to its c a n o n ica l h ost n a m e

A D N S zone wi l l typica l l y have, i n a d d it i o n t o t h e records f o r t h e h osts i n t h e zone: -

• Exact l y one SOA record to specify how t h e zone works

-
• A n NS record for each of its a u t h o ritative n a m e se rvers

• One o r m o re MX records m a p p i n g the d o m a i n n a m e to the m a i l exc h a n g e w h i c h receives e m a i l

-
f o r a d d resses e n d i n g i n t h e d o m a i n n a m e

• Opti o n a l l y, o n e or more TXT record s f o r f u n c t i o n s s u c h as S P F o r Goog l e S ite Ve rification

-

• O p t io n a l l y, o n e or m o re SRV records to locate services i n t h e d o m a i n

126 R H254- R H E L7-en-1 -20140711 -

-
-

H osts a n d resou rce records

-

-
Refe re n ce s
h o s t ( 1 ) a n d dig(1 ) m a n p a g es

- R FC 1 034: D o m a i n n a mes - conce pts a n d fa c i l ities

http://too l s . i etf.o rg/h t m l/rfc1034

- R FC 1 035: D o m a i n n a m e s - i m p l e m e n t a t i o n and specification

http://to o l s . i etf.org/ht m l /rfc1 035

- R FC 2181: C l a rificatio n s to the D N S Specification

http://too l s . i etf.org/ht m l /rfc21 81

- R H 254- R H E L 7-en-1 -201 40711 1 27

-
 -

C h a pter 5. M a n a g i ng D N S for Servers

-

P ra ct i ce : D N S Reso u rce Reco rd

-

Quiz -

Mat c h t h e fo l l owi n g resou rce record types to t h e descriptions l i sted i n t h e t a b l e.

-

Pu rpose Reso u rc e re c o rd t y p e
-

Conta i n s a u t h o r i t a t i ve i nfo r m a t i o n fo r a z o n e,
-
s u c h a s t h e e m a i l co ntact a n d seve ra l va l u es t h at
confi g u re i nteract i o n s betwe e n s l ave a n d m a ster
DNS se rvers. -

-
M a ps h ost n a mes to 1 Pv4 a d d resses.

-
I d e n t i f i es t h e a u t h o r i t a t i ve n a m ese rve rs for a
zone.
-

U sed to p u b l i s h l ocat i o n of n etwork s e r v i ces for a

-
domain.

I d e n t i f ies t h e m a i l exc h a n g es res p o n s i b l e fo r

a ccept i n g e m a i l s fo r a d o m a i n .
-

M a ps h ost n a m es t o 1 Pv6 a d d resses. -

E n a b l es reve rse D N S l o o k u p s of I P a d d resses to -

h ost n a mes.
-

128 R H 254- R H E L7 - e n -1 -20140711 -

-
 Quiz

Pu rpose Resou rce record type

A l i a s es a n a m e to a ca n o n i c a l n a m e.

U s ed to p u b l i s h a r b i t ra ry h u ma n - rea d a b l e text.
C o m m o n l y used fo r S P F, D K I M , a n d D M A R C .

R H 254- R H E L 7-en-1-20140711 129

 -

C h a pter 5. M a n a g i ng D N S for Se rvers

-

S o l ut i o n
-

M atch t h e fo l l owing resou rce record types to t h e descript i o n s l i sted i n t h e t a b l e.

Purpose R e s o u rce reco rd t y p e

C o n ta i n s a ut h o r i ta t i ve i nfo r m a t i o n for a zone, SOA

such a s the e m a i l contact and seve ra l va l u es t h a t
-
c o n fi g u re i nteract i o n s betwe e n s l ave a n d m a st e r
D N S s e rvers.
-

M a ps h ost n a mes to 1 Pv4 a d d resses. A

-

I d e n t i f i es t h e a u t h o r i t a t i ve n a m ese rvers for a NS -

z o n e.

U sed to p u b l i s h l ocat i o n of n etwor k serv i ces fo r a S RV

d o ma i n . -

I d e nt i f i e s t h e m a i l exc h a n g es res p o n s i b l e fo r MX -

accept i n g e m a i l s for a d o m a i n .
-

M a ps h ost n a mes to 1 Pv6 a d d resses. AAAA

-

E n a b l es reve rse D N S l oo k u ps of I P a d d resses to PTR

-
host n a m es.

-
A l i a ses a n a m e to a ca n o n ica l n a me. CNAME

U sed to p u b l i s h a r b i t ra ry h u m a n - rea d a b l e text. TXT

Co m m o n l y u sed fo r S P F, D K I M , and D M A RC .
-

130 R H254- R H E L 7-en-1 -20140711 -

-
-

Confi g u ri n g a C a c h i n g N a mese rver

·-

C o n f i g u ri n g a C a c h i n g N a m es e rve r
-

O bj e ct ives
-
Afte r co m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e to confi g u re a s e c u re, ca c h i n g n a mese rver
u s i n g the u n bound DNS server.
-

Ca c h i n g n a m ese rve rs a n d D N SS EC
-
C a c h i n g n a mese rver
Cac h i n g n a m eservers store D N S q u e ry res u lts in a loca l c a c h e and removes resou rce records
from the cache w h e n t h e i r TTLs e x p i re. I t i s c o m m o n to set up cach i n g n a m ese rve rs to perform
- q u e ries o n beha l f of c l i e nts o n t h e local n etwork. This g re a t l y i m p roves t h e effic i e n c y of
D N S n a m e reso l u t i o n s by red u c i n g D N S t raffic a c ross the I nternet. As the cache g rows, D N S
perfo r m a n ce i m p roves a s t h e ca c h i n g n a m es e rver a n swers m o re a n d m o re c l i e n t q u e r i es from its
- local c a c h e.

D N S S EC va l idation
-
Given t h e state less n a t u re of U D P, D N S t ra n sactions a re p ro n e to s p oofi n g a n d ta m p e r i n g .
Cac h i n g n a m eservers h a v e h isto rica l l y b e e n favo red t a rg ets of atta ckers l o o k i n g to red i rect o r
h i j a c k network t raffic. T h i s is often a c h ieved by e x p l o it i n g v u l n e ra b i l ities i n D N S server softwa re
- to fool a D N S server i nto accept i n g a n d p o p u l a t i n g m a l i c i o u s data i nto its cache, a tec h n i q u e
com m o n l y referred to as cache poisoning. O n c e t h e atta cker s u cceeds i n poiso n i n g a D N S
se rve r ' s cache, t h ey effect ive l y c o m p ro m i s e t h e D N S d a t a received by t h e n u merous c l ients
- u t i l i z i n g t h e cach i n g name service o n t h e DNS server and c a n conseq u e n t l y red i rect o r h ij a c k the
c l i e n t s ' n etwork t raffic.

W h i l e a c a c h i n g n a m eserver c a n g re a t l y i m p rove DNS perfo r m a nce o n t h e loca l network, t h ey

ca n a l so p rovide i m p roved secu rity by perfo r m i n g Domain Name System Security Extensions
(DNSSEC) va l i d a t i o n . D N S S EC va l i d at i o n e n a b l e d at t h e c a c h i n g n a m ese rver a l l ows t h e
-
a u t h e nt i city a n d i nteg rity o f res o u rce reco rd s t o b e va l i d ated p r i o r t o b e i n g p l a ced i n t h e c a c h e
f o r u s e by c l i ents, a n d t h e refore p rotects c l i e nts a g a i n st t h e c o n s e q u e nces o f cache p o i so n i n g .

- C o n fi g u ri n g a n d a d m i n i ste r i n g unbound a s a ca c h i n g
n a m eserve r
- Severa l p a c kages a re ava i l a b l e for config u r i n g a cach i n g n a m ese rver, i n c l u d i n g bind, dnsmasq,
a n d unbound. I n t h i s exa m p l e, p l ea s e fo l l ow a l o n g w h i l e t h e i n st r u ctor d e m o nstrates t h e
confi g u ra t i o n a n d a d m i n istra t i o n of unbound a s a secu re, cac h i n g n a m ese rver w i t h D N S S E C
-
va l i d at i o n e n a b l e d .

Config u r i n g u n b o u n d
- To confi g u re u n b o u n d a s a s e c u re, cac h i n g n a m eserver:

1. I n sta l l unbound.
-
As root, i n sta l l t h e u n bo u n d p a c kage.

-
I [ r oo t @ s e r v e r x - ] # y u m ins t all - y unbound

2. Sta rt and e n a b l e u nbound . s e rvice.

-

-,
R H 25 4- R H E L 7-en-1 -201 40711 131

-
 -

C h a pter 5. M a n a g i n g D N S for Servers

-.

[ r oo t @ s e r v e r X - ] # systemc t l start unbound . se rvice

[ r oot@s e r v e r x - ] # systemctl enable unbound . service
-
ln -s ' / u s r /l i b/ s y s t emd/sys t em/ u n b o u n d . se rvice ' ' /e t c / s y s t e m d / s y s t em/m u lt i ­
u s e r . t a r g e t . wa n t s / u n bo u n d . s e rvice '

-
3. Config u re t h e n etwo r k i n te rface to l i sten o n .

B y defa u lt, unbound o n l y l i stens o n t h e localhost n e t w o r k i nte rface. T o m a ke u nbound

-
ava i l a b l e to remote c l i e nts as a caching n a mese rver, use t h e inte rface option i n the
server c l a use of / e t c / u nbou nd/unbound . conf to spec ify t h e n etwo r k i nte rfa ce(s) to
l i ste n o n . A va l u e of 0 . 0 . 0 . 0 wi l l confi g u re u n bound to l i sten o n a l l network i nt e rfaces:
-

I i n t e rface : 0 . 0 . 0 . 0
I
-

4. Confi g u re c l ient a ccess.

By defa u lt, unbound refuses recu rs ive q u e ries from a l l c l i e nts. In the se rve r c l a u s e of -

/ e t c / u n bo u n d / u nbound . conf, u se the access - co n t rol option to s pecify w h i c h c l i e nts

a re a l l owed to m a ke rec u rsive q u e ri es.

I
-

acc e s s - co n t rol : 172 . 2 5 . 0 . 0/24 allow

5. Confi g u re fo rwa rd i n g .

I n / e t c / u nbou n d / u n bound . conf, create a fo rwa rd - zone c l a use to s pecify w h i c h -

D N S server(s) to forward q u e ries t o . D N S se rvers ca n be specified by h o s t n a m e u s i n g t h e
fo rwa rd - host o p t i o n , or b y I P a d d ress u s i n g t h e forward - ad d r optio n . Fo r a c a c h i n g
n a m ese rve r, forwa rd a l l q u e ries b y specify i n g a fo rwa rd - zone of " . " . -

fo rwa r d - zone :
11 • 11
n ame : -

f o rwa r d - ad d r : 1 7 2 . 25 . 254 . 254

6. I f d e s i re d , bypass D N S S EC va l id a t i o n for s e l ect u n s i g n e d zones. -

By defa u lt, u nbound i s e n a b l e d to perform D N S S EC va l id a t i o n to verify a l l D N S

res p o n ses rece ived. T h e domain - insec u r e option i n t h e se rve r c l a use of -

/etc/unbound / u n bound . conf c a n be u s e d to specify a d o m a i n for w h i c h D N S S EC

va l i d a t i o n s h o u l d be s k i p ped. This is often d e s i ra b l e w h e n d e a l i n g w i t h a n u n s i g n e d interna l
d o m a i n t h a t wou l d o therwise fa i l t r u st c h a i n va l id a t i o n . -

I
I
�
domain - n s e c u r e : example . com
-

7. I f d e s i re d , i n sta l l t r u st a n c h o rs for se l ect s i g n e d zones w i t h o u t co m p l ete c h a i n of t r u st.

-
S i n c e not a l l ccT L D s have c o m p l eted i m p l e m e n t a t i o n of D N S S EC, t h e s u b d o m a i n s
o f t h ese ccT L D s c a n be D N S S EC-s i g ned b u t sti l l h a v e a b roken chain o f trust. T h i s
p ro b l e m c a n be ove rco m e by u s i n g t h e t r u s t - anchor o p t i o n i n t h e se rve r c l a use of -
/ e t c / u n bo u n d / u n bound . conf to specify a t r u st a n c h o r for the zone. O bta i n t h e DNSKEY

132 R H254- R H E L 7-en-1 -20140711

-
 -

Confi g u r i n g a n d a d m i n i ste r i n g unbound as a ca c h i n g n a meserver

,-

record for the key signing key (KSK) of the zone u s i n g dig and i n p u t it a s the va l u e for t h e
- t ru s t - anchor option.

[ s t ud e n t@se r v e r X - ] $ dig +dnssec DNSKEY example . com

-

t r u s t - a n c ho r : " example . com . 3600 IN D NSKEY 257 3 8 AwEAAawt 7 H p l I 5M8GGAsx uyCyj F01
- +QlcgVN11CRZ4vP 6 6 q b DCX0BnSh Z11BGb / / 4 z SG/8mmBHi r L2 F Lg+mVu I I x i g
+ i roZYj h4iTKVOhv2hZf t R wy r Q H K++qXvCCWN 3 k i51RG/e8R4kOEV71 r Z80gQvPWx 6 F 9 1 q r oqOPpcf
7 P P x i p p e H O n + P x n P 0 h py Lyo1mx 1 r P s / c M p L 3 j OMufGP+L JYh+fBU7 l t 0
sP 5 i 0 9 Ha J P r u zyZM L9BPt pv8ZAdQhwtXVG0+Mn ET2qT/1+Tlj pxZn6ye e g F RCFRHBj Mo6 ii R J n UWra/
- k l k r g E n 2Q+BXGTOMTTKQdYz40xYEa1z 7 a p u 3 a09dYNBM= "

8. Save c h a n ges to / e t c / u nbou n d / u n bou nd . conf.

-

9. Check the / e t c / u n bo u n d / u n bound . conf conf i g u ra t i o n file for syntax e r ro rs.

-
[ r oot@se r v e r X - ] # unbound - checkconf
u n b o u n d - c h e c k c o n f : n o e r r o r s in / e t c / u n bo u n d / u n b o u n d . co n f

1 0. Resta rt u n b o u n d . se rvice.

.... [ root@se r v e r x - ] # systemc t l res t a r t unbound . s ervice

11. Confi g u re t h e fi rewa l l to a l l ow D N S t ra ffic.

-

[ r oot@se r v e r X - ] # firewall - cmd - - permanent - - add - se rvice=dns

success
-
[ r oo t @s e r v e r x - ] # firewall - cmd - - reload
success

-
D u m p i n g a n d loa d i n g u n bound c a c h e
A d m i n istrators of c a c h i n g n a m ese rve rs n e e d to d u m p o u t cache data w h e n t ro u b l es h oot i n g
-
D N S issu es, s u c h a s t h ose res u l t i n g f rom sta l e resou rce records. W i t h a n unbound D N S server,
t h e c ache c a n be d u m pe d by r u n n i n g t h e u n bound - co n t rol ut i l ity i n conj u n ct i o n with t h e
d ump_cache s u b c o m m a n d .
-

[ r oo t @s e rverx - ] # u nbound - cont rol dump_cache

START_RRSET_CACH E
- ; r rset 86395 1 0 3 3
clas s room . example . c om . 86395 I N A 172 . 25 . 2 5 4 . 254
; r r s e t 86395 1 0 7 3
example . com . 8 6 3 9 5 I N NS clas s r oom . example . com .
- ; r r s e t 86395 1 0 8 3
example . com . 8 6 3 9 5 I N A 172 . 25 . 254 . 254
EN D_RRSET_CACH E
START_MSG_CACH E
-
m s g example . com . I N A 33152 1 86395 3 1 1 1
example . com . I N A 0
example . com . I N NS 0
-
cla s s room . example . c om . I N A 0
END_MSG_CACH E
EOF

-
RH254-RH EL 7 -en -1 -20140711 133

-
 -

C h a pter 5. M a na g i ng D N S for Se rve rs

Executi n g u n bound - cont rol w i t h t h e d ump_cache co m m a n d d u m ps o u t t h e cache to stdout

i n a text format. This o u t p u t can be d i rected to a f i l e for stora g e a n d be l oa d e d back i nto c a c h e
-
l ater with u n bound - cont rol load_cache, if d e s i red. unbound - co n t rol load cache
rea d s from stdin to p o p u l ate t h e c a c h e .

-
[ r oo t @ s e r v e r x - ] # unbound - cont rol load_cache < dump . ou t
ok

-
F l u s h i n g u n bound c a c h e
A d m i n i s t rators of cach i n g n a meservers a l so need to p u rge outdated res o u rce reco rds from
c a c h e from time to t i m e. E r ro n e o u s and o utdated resou rce record s i n c a c h e w i l l keep t h e i r -

n ew l y corrected co u nterparts f r o m b e c o m i n g a va i l a b l e to c l i e nt s u nt i l t h e T T L s on t h e outd ated

reso u rce records expire. Rather t h a n w a i t i n g for TTL e x p i ra t i o n , a d m i n istrators can forc i b l y p u rg e
t h e outdated records f r o m cache by exec u t i n g u n bound - cont rol w i t h t h e flush s u b co m m a n d . -

[ r oo t @s e r v e r X - ] # unbound - cont rol flush www . example . com

ok -

I f a l l res o u rce records b e l o n g i n g to a d o m a i n n e e d to b e p u rg e d f ro m t h e cache o f a n u n bound

-
DNS server, u n bound - con t rol c a n b e executed w i t h the f l u s h_zone s u bcom m a n d .

[ r oo t @s e r v e rX - ] # unbound - cont rol flush_zone example . com

-
ok removed 3 r r s e t s , 1 m e s s a g e s and 8 key e n t r ie s

U p d a t i n g Local C a c h i n g u n b o u n d Confi g u ra t i o n with d nssec-t r i g g e r -

I n a d d i t i o n to p rovi d i n g cach i n g n a m e s e r v i c e for a local s u b n et, u n bound c a n a l so be u s e f u l a s

a l o c a l ca c h i n g n a m eserver to p rov i d e sec u re D N S n a m e reso l ut i o n for l oca l use on a n i n d ivid u a l
system. Fo r a l oc a l cach i n g n a meserver set u p, t h e namese rve r entry i n / e t c / re solv . conf -

w i l l be confi g u red to point to loca l h ost w h e re u n bound i s l i ste n i n g . T h e u n bo u nd confi g u ration

w i l l forwa rd DNS req u ests to u pstre a m n a m ese rvers a n d va l i d ate t h e i r respon ses.
-
Fo r D H C P systems r u n n i n g l o c a l ca c h i n g n a m e servi ce, the u pstre a m n a m ese rvers specified
i n unbound ' s confi g u ra ti o n may b e c o m e outdated if DNS servers prov i d e d by DHCP c h a n g e.
T h e d n s sec - t rigger tool s u p p l i e d by t h e package of t h e s a m e n a m e c a n be l everaged to -

a utomatica l l y u pdate forwa rd er sett i n g s i n u nbound's confi g u ration f i l e to point to the new D N S
se rvers. T h e u s e o f t h e d n ssec - t rigge r tool i n conj u n c t i o n w i t h u n bound is most l y u s e f u l for
s e c u re D N S name reso l ut i o n on roa m i n g c l ie n t m a c h i nes. -

R R e fe re n ces -

u n bound(8), u nbound - c heckconf(8), u n bound . conf(5), unbound - cont rol(8),

d n s sec - t rigger(8) man pages
-

134 R H254- R H E L 7-en-1 -20140711 -

-
-

Practice: Confi g u ri n g u n b o u n d as a C a c h i n g N a mese rver

-

-
P ra ct i ce : Co nf i g u r i n g u n b o u n d a s a C a c h i n g
N a m es e rve r
-

G u i d ed exe rc ise
-

I n t h i s l a b, you w i l l config u re u nbound a s a ca c h i n g n a mese rver a n d a d m i n ister its c a c h e d a t a .

- Reso u rces:
Files: /etc/u n bo u nd/u n bo u n d .conf

-
Machines: d e s kt o p X

• se rve r X

-
Outcomes:
T h e u n bound service e n a b l e d and confi g u red as a ca c h i n g n a m eserver o n se rverX to l i st e n on
i nterface 172 . 25 . X . 11 and to accept c o n n ections from 1 7 2 . 25 . X . 0/24. Rec u rsive q u e ries a re
-
forwa rded to 172 . 25 . 254 . 2 54. T h e example . com z o n e is exem pted from D N S S EC va l i d a t i o n .

Before you begin. . .

-
• Reset t h e deskt opX syst e m .

• Reset t h e se rve rx syste m .

-

• Log i nto t h e d e s k t o pX syst e m .

- Log i nto t h e se rve rX syst e m a n d s w i t c h to root u s i n g s u d o - i.

Yo u have been a s ked to i m p rove n a m e reso l ut i o n perfo r m a n ce a n d e n h a nce D N S secu rity

- in yo u r c o m p a n y ' s datacenter. Yo u h a ve d e c i d e d to d e p l oy a cach i n g n a m eserver u s i n g an
u n b o u n d DNS server. Yo u w i l l c o n fi g u re u n bound to res p o n d o n l y to q u e ries o n the datacenter
s u b n et, 172 . 25 . x. 0/24. Rec u rsive q u eries w i l l be forwa rd e d to t h e company 's main i ntern a l
- D N S server a t 172 . 25 . 254 . 2 54. T h i s m a i n i nterna l D N S server h osts a n inte r n a l , s p l it D N S
copy o f t h e co m pa n y's example . com z o n e. T h i s example . com z o n e i s n ot D N S S EC-s i g n e d ,
so it w i l l n e e d to be exem pted from D N S S EC va l i d a t i o n o n yo u r c a c h i n g n a mese rver. After
- confi g u ra t i o n of the cach i n g n a m es e rver i s c o m p l ete o n s e rve rx, you w i l l test it by q u e r y i n g
for t h e h o s t n a m e s d e s k t opX . example . c o m a n d se rverx . example . c o m from d e s k t opX.
Ve r i fy that the q u eries m a d e a re p o p u l ated into the n a m es e rve r ' s cache. Last l y, you w i l l p u rg e
- se rverX . example . c o m f r o m t h e cache.

D 1. I n sta l l t h e unbound package o n se rve rX.

i
-

[ r oot@s e r v e r X - ] # yum install -y unbound

-
D 2. E n a b l e and sta rt the u n bound servi ce.

[ r oot@s e r v e r X - ] # systemctl enable unbound . s ervice

-
l n - s ' / u s r/lib/sys t e m d / s y s t em/ u n bo u n d . se rvice ' ' /e t c / sy s t em d / s y s t em/m u l t i ­
u s e r . t a r g e t . wa n t s / u n b o u n d . s e rvice '
[ root@se r v e r x - ] # systemctl s t a r t u n bound . se rvice
- �--- -- ��-- � · -- ------ ----�-- � - - - · - - - - -- -

-
R H 2 5 4- R H E L 7-en-1 -20140711 135

-
 -

C h a pter 5. M a n a g i ng D N S for Se rvers

-

D 3. Config u re u n bound to a l l ow q u eries f ro m t h e 172 . 25 . X . 0/24 s u b n et, exe m pt

t h e example . com zone from D N S S EC va l id a t i o n , a n d forwa rd a l l q u e ries to
-
172 . 25 . 254 . 254.

D 3.1 . B y defa u lt , u nbound l i ste n s o n t h e l o o p b a c k i nte rface. Confi g u re u nbound to

l isten on t h e 172.25.X.11 i nterface on se rve rx by a d d i n g t h e fo l lowi n g o p t i o n i n -

[
t h e se rve r c l a u se o f / e t c / u n bo u n d / u nbou nd . conf.

-
i n t e r face : 172 . 2 5 . X . 11

D 3.2. A l l ow q u e ries from t h e 172 . 25 . X . 0/24 s u bn et by a d d i n g t h e fo l l owi n g option i n -

I
t h e se rve r c l a u se o f / e t c / u n bo u n d / u n bou n d . conf.

ac c e s s - c o n t rol : 17 2 . 25 . X . 0/24 allow

D 3.3. E xe m pt t h e example . com zo n e f ro m D N S S EC va l i d a t i o n by a d d i n g t h e fo l l ow i n g

-
option i n t h e se rve r c l a u se of / e t c / u nbound/u nbound . conf.

I domain - i n s e c u r e : " example . co m "

-

D 3.4. Fo rwa rd a l l q u eries to 172 . 25 . 254 . 254 by adding a forwa r d - zone c l a use to
t h e end of t h e /etc/u nbou n d / u n b o u nd . conf fi l e. -

fo rwa r d - z o n e :
n ame : -

fo rwa r d - ad d r : 1 7 2 . 2 5 . 254 . 254

D 4. C h e c k / e t c / u n bound/u nbound . conf for syntax e r ro rs. -

[ r o o t @ s e r v e r X - ] # unbound - checkconf
-
u n b o u n d - c h e c k c o n f : no e r r o r s i n / e t c / u n b o u n d / u n b o u n d . c o n f

D 5. Rest a rt the u n bound service. -

[ r oot@s e rve rX - ] # sys temctl restart unbound . se rvice

-

D 6. Config u re the fi rewa l l to a l low D N S traffic.

-
[ ro o t @s e r v e r X - ] # firewall - cmd - - permanent - - add - se rvice=dns
success
[ r oot@s e r v e r x - ] # firewall - cmd - - reload
success -

D 7. Ve rify t h e ca c h i n g n a m e service by p e rfo r m i n g q u e ries a n d exa m i n i n g t h e contents of

-
t h e c a c h e.

D 7.1 . D u m p t h e ca che to see its contents.

-

136 R H 254- R H E L 7-en-1 -20140711 -

-
-

G u i d e d exercise
-

[ r oo t @ s e r v e r X -]# unbound - co n t rol dump_cache

- START_RRSET_CACHE
E ND_RRSET_CACH E
START_MSG_CACH E
E N D_MSG_CACH E
- EOF

D 7.2 . Fro m d e s k t opX, q u ery se rve rx for t h e A record of host n a m e

-
d e s k t opX . example . com.

-
[ s t u d e n t@d e s k t opX - ] $ dig @serverX . example . com A desktopX . example . com

d e s k t opX . example . com . 86349 IN A 1 7 2 . 25 . X . 10

D 7.3. Fro m d e s k t opX, q u ery se rverX for t h e A record of h ost n a m e

-
se rverX . example . com.

[ s t u d e n t@d e s k t opX - ] $ dig @se rverX . example . com A se rverX . e xample . com
-
s e r v e r X . example . com . 86364 IN A 172 . 2 5 . X . 11

-
D 7.4. O n s e rve rx. d u m p out t h e c a c h e a g a i n . You s h o u l d see t h e q u e r i e d records i n
t h e c a c h e.
-

[ r oo t @ s e r v e r X - ] # unbound - co n t rol dump_cache

START RRSET_CACHE
; r r s e t 85886 1 0 8 3
-
s e r v e r X . example . c om . 85886 I N A 17 2 . 2 5 . X . 11
; r r s e t 85878 1 0 8 X
d e s k t o pX . example . c om . 8 5 8 7 8 I N A 172 . 2 5 . X . 10
- ; r r s e t 85878 1 0 7 3
example . com . 85878 IN NS c l a s s room . example . com .
; r r s e t 85878 1 0 3 3
c las s room . example . com . 8 5 8 7 8 I N A 1 7 2 . 25 . 254 . 254
- E N D_RRSET_CACHE
START_MSG_CACHE
m s g d e s k t o pX . example . com . I N A 33152 1 85878 3 1 1 1
d e s k t opX . example . com . I N A 0
-
e x ample . com . I N NS 0
c l a s s room . example . com . I N A 0
m s g s e r v e r X . example . com . I N A 33152 1 85886 3 1 1 1
- s e r v e r X . example . com . I N A 0
example . com . I N NS 0
c l a s s r o om . example . c om . I N A 0
E N D_MSG_CACH E
- EOF

D 7.5. P u rg e t h e se rverx . example . com record from t h e c a c h e.

-

[ r o o t @ s e r v e r X - ] # unbound - co n t rol flush serverX . example . com

ok
-

- RH254- R H E L 7-en-1 -201 40711 1 37

-
 -

C h a pter 5. M a na g i n g D N S for S e rvers

D 7.6. O n se rve rx, d u m p o u t t h e c a c h e a g a i n. You s h o u l d n o l o n g e r s e e t h e A record

fo r se rve rX . example . com i n t h e cache.
-

[ root@serve rX - ] # u n bound - cont rol dump_cache

START_RRSET_CACHE
; r r s e t 85878 1 0 8 X -

d e s k t o p X . e x ample . com . 85878 IN A 17 2 . 25 . X . 10

; r r s e t 85878 1 0 7 3
example . com . 8 5 8 7 8 I N NS c l a s s room . example . com .
-
; r r s e t 85878 1 0 3 3
clas s r oom . example . com . 85878 IN A 172 . 25 . 254 . 254
END_RRSET_CACH E
START_MSG_CACH E -
m s g d e s k t opX . example . com . I N A 3 3 1 5 2 1 8 5 8 7 8 3 1 1 1
d e s k t o p X . example . com . I N A 0
example . com . I N NS 0
-
clas s r oom . example . c om . IN A 0
msg se rverX . example . com . IN A 33152 1 85886 3 1 1 1
se rverX . example . com . I N A 0
example . com . I N NS 0
clas s r oom . example . com . IN A 0
END_MSG_CACHE
EOF
-

138 R H254-R H E L7-en-1 -20140711 -