DNS Security Extensions- Implementing DNS

One major issue that you must always look at is keeping your DNS safe. Think about it: DNS is a database of computer names and IP addresses. As a hacker, if I control DNS, I can control your company. In organizations that do not support extra security like IPsec, DNS security is even more important. This is where Domain Name System Security Extensions (DNSSEC) can help.

Windows Server 2022 can use a suite of extensions that will help add security to DNS, and that suite is called DNSSEC, which was introduced in Windows Server 2008 R2. The DNSSEC protocol allows your DNS servers to be secure by validating DNS responses. DNSSEC secures your DNS resource records by accompanying the records with a digital signature.

To allow your DNS resource records to receive digital signatures, DNSSEC is applied to your DNS server by a procedure called zone signing. This process begins when a DNS resolver initiates a DNS query for a resource record in a signed DNS zone. When a response is returned, a digital signature (RRSIG) accompanies the response, and this allows the response to be verified. If the verification is successful, then the DNS resolver knows that the data has not been modified or tampered with in any way.

Once you implement a zone with DNSSEC, all of the records that are contained within that zone get individually signed. Since all of the records in the zone get individually signed, this gives you the ability to add, modify, or delete records without re- signing the entire zone. The only requirement is to re- sign any updated records.

DNS- Based Authentication of Named Entities

Another RFC that deals with DNS security is RFC 6698. RFC 6698 explains DNS- Based

Authentication of Named Entities (DANE). DANE is a protocol that is based on Transport Layer Security Authentication (TLSA). The TLSA records then provide information to DNS clients telling the clients which CA server they should expect their certificate from. By knowing your CA, hackers can’t corrupt your DNS cache. Man in the middle On-path attackers can change your cache to point you to their websites. DANE stops these types of attacks. DANE support is now included with Windows Server 2022.

Trust Anchors

Trust anchors are an important part of the DNSSEC process because trust anchors allow the DNS servers to validate the DNSKEY resource records. Trust anchors are preconfigured public keys that are linked to a DNS zone. For a DNS server to perform validation, one or more trust anchors must be configured. If you are running an Active Directory Integrated zone, trust anchors can be stored in the Active Directory Domain Services directory partition of the forest. If you decide to store the trust anchors in the directory partition, then all DNS servers that reside on a domain controller get a copy of this trust anchor. On DNS servers that reside on stand- alone servers, trust anchors are stored in a file called  TrustAnchors.dns.

If your servers are running Windows Server 2022, then you can view trust anchors in the DNS Manager Console tree in the Trust Points container. You can also use Windows PowerShell or Dnscmd.exe to view trust anchors. Windows PowerShell is the recommended command- line method for viewing trust anchors. The following line is a PowerShell command to view the trust anchors for Contoso.com: get- dnsservertrustanchor sec.contoso.com

DNSSEC Clients

Windows 7, Windows 8/8.1, Windows 10/11, Windows Server 2008/2008 R2, and Windows Server 2012/R2, Windows Server 2016, Windows Server 2019, and Server 2022 are all DNS clients that receive a response to a DNS query, examine the response, and then evaluate whether the response has been validated by a DNS server. The DNS client itself is nonvalidating, and the DNS client relies on the local DNS server to indicate that validation was successful. If the server doesn’t perform validation, then the DNS client service can be configured to return no results.

DNS Devolution

Using DNS devolution, if a client computer is a member of a child namespace, the client computer will be able to access resources in the parent namespace without the need to explicitly provide the fully qualified domain name of the resource. DNS devolution removes the leftmost label of the namespace to get to the parent suffix. DNS devolution allows the DNS resolver to create the new FQDNs. DNS devolution works by appending the single- label, unqualified domain name with the parent suffix of the primary DNS suffix name.

Record Weighting

Weighting DNS records will allow you to place a value on DNS SRV records. Clients will then randomly choose SRV records proportional to the weight value assigned.

Netmask Ordering

If round- robin is enabled, when a client requests name resolution, the first address entered in the database is returned to the resolver, and it is then sent to the end of the list. The next time a client attempts to resolve the name, the DNS server returns the second name in the database (which is now the first name) and then sends it to the end of the list, and so on.

Round- robin is enabled by default.

Netmask ordering is a part of the round- robin process. When you configure netmask ordering, the DNS server will detect the subnet of the querying client. The DNS server will then return a host address available for the same subnet. Netmask ordering is enabled through the DNS Manager console on the Advanced tab of the server Properties dialog box.

DnsUpdateProxy Group

As mentioned previously, the DHCP server can be configured to register host (A) and pointer (PTR) resource records dynamically on behalf of DHCP clients. Because of this, the DNS server can end up with stale resources. To help solve this issue, you can use the built- in security group called DnsUpdateProxy.

To use the DnsUpdateProxy group, you must first create a dedicated user account and configure the DHCP servers with its credentials. This will protect against the creation of unsecured records. Also, when you create the dedicated user account, members of the DnsUpdateProxy group will be able to register records in zones that allow only secured dynamic updates. Multiple DHCP servers can use the same credentials of one dedicated user account.

DNS Policies

One of the best advantages to Windows Server 2022 DNS is the ability to set up DNS policies. You can set up policies based on location, time of day, deployment types, queries, application load balancing, and more. The following are just some of the items that you can configure:

Application Load Balancing There are many times in a corporate environment when you have multiple copies of the same application running in different locations.  Application load balancing allows DNS to pass client requests for the same applications (even when they are in different locations) to multiple servers hosting that application.

This allows DNS to give an application load balancing.

Location- Based Traffic Management You can set DNS to work off locations and help direct users to resources that are closer to their location. You can set up DNS policies so that a DNS server will respond to a DNS client’s query based on geographic location of the client and the IP address of the nearest requested resource.

Split- Brain DNS Another DNS policy that you can set up is the ability to have DNS split zones. Split zones allow a DNS server to respond to a client based on whether the clients are internal or external clients. Active Directory zones or stand- alone DNS servers can be configured as split- brain DNS servers.

Filtering You now have the ability to set up policies to create query filters that are based on criteria that you supply. Query filters allow you to set up the DNS server to send a custom response based on a specific type of DNS query and/or DNS client.

Forensics You also have the ability to set up a DNS honeypot. A honeypot allows a DNS server to redirect a malicious DNS client to an IP address that does not exist.

Time of Day–Based Redirection You can set up a DNS policy to distribute application traffic between different locations. DNS will be able to do this because the policy that you set for an application will be based on the time of day. So for example, when its 1:00 p.m., a server that has a copy of the application gets all client requests, and at 7:00 p.m., a different server that has a copy of the application gets all of the client requests.

Now that you have learned about some of the features of Windows Server 2022 DNS, let’s take a look at some of the DNS record types.

Leave a Reply

Your email address will not be published. Required fields are marked *