SECSTACK
SECSTACK

GNU/Linux ve Siber Güvenlik üzerine dökümanlar.

SECSTACK
Author

Share

Tags

.gz text aramak arkime arkime kurulumu bitwarden bitwarden kurulum bitwarden ubuntu canonical livepatch canonical livepatch yapılandırma centos grub rescue centos nfs yapılandırma centos samba yapılandırma chronograf chrony chrony ntp chrony ntp server chrony ntp server kurulumu chrony nts chrony nts yapılandırma dns over tls dns server kurulumu dnssec ed25519 ed25519 openssh ed25519 ssh full packet capture grafana grafana ile prometheus izleme grub rescue grub troubleshooting grub yeniden kurulumu influxdb iptables nftables geçişi iptables nftables kural geçişi irc server kapacitor kernelcare uchecker knot resolver knot resolver dns kurulumu knot resolver kurulumu linux nts server kurulum lvm lvm disk genişletme lvm genişletme lvm ikincil disk genişletme lvm ikincil genişletme lvm var olan disk genişletme lvm var olan genişletme moloch moloch kurulumu network time security nfs nfs yapılandırma nftables ngircd ngircd server ngircd ubuntu ntp server kurulumu nts nts server kurulum openvpn openvpn hardening ossec ossec hids ossec kurulumu outdated shared libraries prometheus restic restic kullanımı rsync rsync dosya transfer rsync kullanımı rsyslog rsyslog log yönlendirme rsyslog uygulama log yönlendirme samba samba yapılandırma scp scp dosya transfer scp kullanımı selks selks kurulumu setperms setugids sftp sftp kullanımı smbclient smbclient kullanımı ssh anahtar oluşturma ssh key oluşturma sshfs sshfs kullanımı sshfs nasıl kullanılır sshuttle stubby stubby kurulumu stubby yapılandırması suricata suricata kurulumu systemd systemd service hardening systemd-resolved systemd-resolved dns over tls systemd-resolved dnssec telegraf tick stack tick stack kurulumu ubuntu nfs yapılandırma ubuntu samba yapılandırma uchecker unbound unbound dns unbound dns kurulumu unbound forwarding dns vpn over ssh vuls vuls vulnerability scanner vuls vulnerability scanner kurulumu zcat zgrep zmore

Copyright © SECSTACK 2021 All rights reserved.

Published with Ghost.

systemd-resolved ile DNSSEC ve DNS-over-TLS

systemd-resolved, ağ adı çözümlemesi sağlayan bir systemd hizmetidir. systemd kullanan dağıtımlarla birlikte gelir ve yüksek ihtimal aktif olarak çalışmaktadır. systemd, başlangıçta PID 1 olarak çalışan ve sistemin geri kalanını başlatan bir sistem ve servis yöneticisidir. Seveni olduğu kadar sevmeyeni çoktur. systemd-resolved tarafında DNSSEC ve DNS-over-TLS aktif edilmesini anlatacağım. Anlatım Ubuntu Server 20.04.1 LTS üzerinde yapılmaktadır.

Yapılandırma

Netplan tarafında ağ arayüzü için tanımlı DNS adresini 127.0.0.53 olarak değiştiriyoruz.

# vim /etc/netplan/00-installer-config.yaml

Netplan konfigürasyon dosyasını açıyoruz.

network:
  ethernets:
    ens32:
      addresses:
      - 192.168.1.3/24
      gateway4: 192.168.1.1
      nameservers:
        addresses:
        - 127.0.0.53
  version: 2

Yaptığımız değişikliği uyguluyoruz.

# netplan apply

systemd-resolved konfigürasyonuna geçebiliriz.

# vim /etc/systemd/resolved.conf

Aşağıdaki şekilde düzenliyoruz.

[Resolve]
DNS=1.1.1.1
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=yes
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes

Ardından systemd-resolved yeniden başlatabiliriz.

# systemctl restart systemd-resolved

DNSSEC doğrulamasının aktif olup olmadığını kontrol ediyoruz.

# resolvectl statistics 
DNSSEC supported by current servers: yes

Transactions             
Current Transactions: 0  
  Total Transactions: 138
                         
Cache                    
  Current Cache Size: 31 
          Cache Hits: 26 
        Cache Misses: 112
                         
DNSSEC Verdicts          
              Secure: 63 
            Insecure: 78 
               Bogus: 0  
       Indeterminate: 0

DNS over TLS trafiğini tshark ile kontrol ediyoruz.

# tshark dst port 853
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens32'
    1 0.000000000  192.168.1.3 → 1.1.1.1      TCP 78 35958 → 853 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2081448733 TSecr=0 WS=128 TFO=R
    2 0.000203340  192.168.1.3 → 1.1.1.1      TCP 78 35960 → 853 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2081448733 TSecr=0 WS=128 TFO=R
    3 0.007289875  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=1 Ack=1 Win=64256 Len=0
    4 0.007346121  192.168.1.3 → 1.1.1.1      TLSv1.2 391 Client Hello
    5 0.007612579  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [ACK] Seq=1 Ack=1 Win=64256 Len=0
    6 0.007666299  192.168.1.3 → 1.1.1.1      TLSv1.2 391 Client Hello
    7 0.015554475  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=338 Ack=1441 Win=64128 Len=0
    8 0.015775418  192.168.1.3 → 1.1.1.1      TLSv1.2 60 Change Cipher Spec
    9 0.015933904  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=344 Ack=2705 Win=64128 Len=0
   10 0.016398082  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [ACK] Seq=338 Ack=1441 Win=64128 Len=0
   11 0.016585253  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [ACK] Seq=338 Ack=2705 Win=63488 Len=0
   12 0.017058097  192.168.1.3 → 1.1.1.1      TLSv1.2 128 Application Data
   13 0.017150420  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   14 0.017189443  192.168.1.3 → 1.1.1.1      TLSv1.2 140 Application Data
   15 0.017307885  192.168.1.3 → 1.1.1.1      TLSv1.2 60 Change Cipher Spec
   16 0.018214170  192.168.1.3 → 1.1.1.1      TLSv1.2 128 Application Data
   17 0.018314397  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   18 0.018351016  192.168.1.3 → 1.1.1.1      TLSv1.2 140 Application Data
   19 0.018383867  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   20 0.018418863  192.168.1.3 → 1.1.1.1      TLSv1.2 140 Application Data
   21 0.018458998  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   22 0.018493783  192.168.1.3 → 1.1.1.1      TLSv1.2 140 Application Data
   23 0.029401235  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=638 Ack=3647 Win=64128 Len=0
   24 0.029565372  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   25 0.029610326  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [ACK] Seq=638 Ack=3647 Win=64128 Len=0
   26 0.029636465  192.168.1.3 → 1.1.1.1      TLSv1.2 140 Application Data
   27 0.029724670  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   28 0.029777780  192.168.1.3 → 1.1.1.1      TLSv1.2 140 Application Data
   29 0.029802496  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=748 Ack=4139 Win=64128 Len=0
   30 0.030026965  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [ACK] Seq=748 Ack=4139 Win=64128 Len=0
   31 0.037532885  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=748 Ack=4631 Win=64128 Len=0
   32 0.037704276  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   33 0.037768456  192.168.1.3 → 1.1.1.1      TLSv1.2 140 Application Data
   34 0.037794134  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [ACK] Seq=748 Ack=4631 Win=64128 Len=0
   35 0.037880506  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   36 0.037927634  192.168.1.3 → 1.1.1.1      TLSv1.2 140 Application Data
   37 0.097373921  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   38 0.097432711  192.168.1.3 → 1.1.1.1      TLSv1.2 131 Application Data
   39 0.097689551  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   40 0.097739004  192.168.1.3 → 1.1.1.1      TLSv1.2 131 Application Data
   41 0.104993653  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   42 0.105051842  192.168.1.3 → 1.1.1.1      TLSv1.2 131 Application Data
   43 0.105233632  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   44 0.105285218  192.168.1.3 → 1.1.1.1      TLSv1.2 131 Application Data
   45 0.112568441  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   46 0.112626840  192.168.1.3 → 1.1.1.1      TLSv1.2 127 Application Data
   47 0.112996101  192.168.1.3 → 1.1.1.1      TLSv1.2 78 Application Data
   48 0.113055111  192.168.1.3 → 1.1.1.1      TLSv1.2 127 Application Data
   49 0.164631035  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [ACK] Seq=1157 Ack=8003 Win=64128 Len=0
   50 0.168529697  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=1157 Ack=8003 Win=64128 Len=0
   51 10.120289463  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [ACK] Seq=1157 Ack=8027 Win=64128 Len=0
   52 10.120534121  192.168.1.3 → 1.1.1.1      TCP 54 35960 → 853 [FIN, ACK] Seq=1157 Ack=8028 Win=64128 Len=0
   53 10.121801561  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=1157 Ack=8027 Win=64128 Len=0
   54 10.121848049  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [FIN, ACK] Seq=1157 Ack=8027 Win=64128 Len=0
   55 10.122203103  192.168.1.3 → 1.1.1.1      TCP 54 35958 → 853 [ACK] Seq=1158 Ack=8028 Win=64128 Len=0
systemd-resolved dnssec dns over tls systemd-resolved dnssec systemd-resolved dns over tls
systemd-resolved
Author

SECSTACK

View Comments