Lead Image © Amy Walters, 123RF.com

Lead Image © Amy Walters, 123RF.com

Hardening network services with DNS

Defenders

Article from ADMIN 66/2021
By
The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records.

The Domain Name System (DNS) was specified way back in 1983, eliminating the need for a locally maintained HOSTS file with name resolution entries and thus contributing significantly to the success of the Internet. The decentralized approach to resolving domain names into IP addresses began, as with almost all protocols of the Internet, without a focus on security. A good 10 years later, work began on the DNS Security Extensions (DNSSEC), which today allow the operation of a reliable and cryptographically secure DNS infrastructure.

In addition to secure name resolution, DNS has established itself as a universal protocol for hardening network protocols. The best known application is probably secure email communication with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and a combination of the two in the form of Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Checking SSH Fingerprints

The first time you establish an SSH connection, you are confronted with viewing and verifying the server fingerprint. Although a reliable check is required for security reasons, the displayed fingerprints are often approved without a second thought. As a security-aware administrator, you can reliably remedy this situation thanks to SSH fingerprinting (SSHFP). When you create the required DNS entries for your server, you can run the command

ssh-keygen -r <hostname>

to output the hashes. The two digits before the fingerprint encode the algorithm and hash method used [1]. Digits 1 to 4 on the left stand for (in ascending order) RSA, DSA, ECDSA, and Ed25519. No algorithm has been assigned for 5 yet, and 6 stands for Ed448. The values 1 and 2 in the second position stand for the SHA-1 and SHA-256 hash methods.

Since version 6.6, OpenSSH has let users query fingerprints when

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=