(DNS – Domain Name System) Securing DNS (DNS – Domain Name System) Lecture 11 1

DNS in Active Directory NW DNS first design open protocol Vulnerable to hackers Better attack prevention with WS2008 3 Ways Name resolution: Names to IP addresses Service Location for clients: DC location, for users to authenticates and access NW services Resource Location: NW resources (Web servers, Email servers, etc.)

Common Attacks Foot Printing Redirection Denial of Service (DoS) IP Spoofing DNS Cache Poisoning

Common Attacks Footprinting DNS zone data obtained by an attacker provides the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources. Begins of attack by using this DNS data to footprint NW Usually DNS domain and computer names indicate the function or location of a domain or computer . Attacker takes advantage of DNS principle to learn the function or location of domains and computers in NW

2) Redirection Attacker able to control/redirect queries for DNS names to servers. Method: attempt to pollute DNS cache (Cache Poisoning) of a DNS server with erroneous DNS data that may re-direct future queries to servers controlled by attacker Example: query originally made for example.microsoft.com and a referral answer provided a record for a name outside microsoft.com domain

Common Attacks (cont.) 3) Denial of Service (DoS) NW service availability denied by flooding one/more DNS servers with recursive queries NW services use DNS will be unavailable for NW users 4) IP spoofing After footprinting NW using DNS, attacker use valid IP @ (source spoofed @) in created IP packets by the attacker 5) DNS cache poisoning Tricks a Domain Name Server to make it believe it has received authentic information when, it is not the case. Once poisoned, information is generally cache for some time Effect on users of DNS server @: means address 6

Securing DNS Five main areas when determining your DNS design security DNS namespace Internal DNS servers and external DNS in this DNS design such that: Internal DNS namespace = subdomain of external DNS namespace Queries for external names by internal hosts: internal server forwards queries for external names to the external DNS servers Packet-filtering firewall allowing UDP and TCP port 53 communication between external DNS server and internal DNS server TCP/UDP Port 53 Common Use: DNS Service is typically used to convert between URL's and IP Addresses. 7

Securing DNS (cont.) 2) DNS Server service Interfaces Limit the IP @ the DNS Server listens to the IP @ used by its DNS clients as their preferred DNS server Cache Anti-pollution The Secure cache against pollution option prevents an attacker from successfully polluting the cache of a DNS server. Disable recursion Recursion can be used by attackers to deny the DNS Server service 8

Securing DNS (cont.) 3) DNS zones Make Computers securely update DNS data. Store DNS zones in AD and use the secure dynamic update feature DNS zone updates to only those Computers that are authenticated and joined to the AD domain where DNS sever is And only to specific security settings defined in the ACLs for the DNS zone 9

Securing DNS (cont.) 4) DNS Resource Records (RRs) Review the RR settings and apply AD security settings. Manage the discretionary access control list (DACL) on DNS resource records stored in AD DACL allows control permissions for the AD users and groups that may control the DNS resource records Example Admin: Read, Write, Create All Child objects DNSAdmin: Full Control, Read, Write, Create All Child objects, Delete Child objects 10

Securing DNS (cont.) 5) DNS clients Control the DNS server IP addresses used by DNS clients Static IP addresses for the preferred DNS server and alternate DNS servers for a DNS client If DNS server via DHCP make sure DHCP server is secure Control which client accesses to DNS server If a DNS server is configured to listen only on specific IP @, control that only DNS clients configured to use these IP @.

Securing DNS Zone Replication Multiple copies DNS data/zone information Synchronization one zone replication (traditional) bw primary and secondary Servers WS 2003: zone information shared via AD Avoid expose DNS data via Zone Replication (ZR) zone transfer used by attackers (IP @ of critical NW servers can be used by attacker) Bw: between 12

Securing DNS Zone Replication (cont.) AD Replication: traffic encrypted, and DCs authenticate to e/o for ensuring destination of ZR traffic Restrict Zone transfer: if AD Integrated DNS not used Secure cache against pollution: by default. DNS places referral names in cache only if in same domain as query e/o: each other 13

Securing DNS Zone Replication (cont.) Encrypt replication traffic GW-2-GW VPN tunnel between DNS Servers IPSec transport mode policy: triggered when primary/secondary Servers communicate Secure dynamic registration IP @ modification restricted Secure DNS clients static in DNS configuration or security can depend on DHCP Server → DoS, IP spoofing Configure DNS to listen only authorized IP @ GW: gateway 14

References http://technet2.microsoft.com/windowsserver/en/library/d11c41b7-81c9-4970-8586- af12c75a57421033.mspx?mfr=true Designing Security for MS WS 2008: Roberta Bragg