October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Slides:



Advertisements
Similar presentations
Web Server Administration
Advertisements

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
SENG2220 Web Development II Mohammed A. Saleh 29 th October
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Domain Name System. Domain names and IP addresses People prefer to use easy-to-remember names instead of IP addresses Domain names are alphanumeric.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
McGraw-Hill©The McGraw-Hill Companies, Inc., Chapter 25 Domain Name System.
Application Layer At long last we can ask the question - how does the user interface with the network?
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System: DNS
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Module 12: Domain Name System (DNS)
Chapter 25 Domain Name System
Domain Name Services Oakton Community College CIS 238.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Configuring and Managing the DNS Server Role Lesson 4.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
DNS and Active Directory Integration
Name Resolution Domain Name System.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
DNS Domain Name System. Domain names and IP addresses People prefer to use easy-to-remember names instead of IP addresses Domain names are alphanumeric.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Windows Server 2008 R2 Domain Name System Chapter 5.
Domain names and IP addresses Resolver and name server DNS Name hierarchy Domain name system Domain names Top-level domains Hierarchy of name servers.
Module 2: Implementing DNS to Support Active Directory
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Network Protocols Chapter 25 (Data Communication & Networking Book): Domain Name System (DNS) 1.
Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.
Chapter 17 Domain Name System
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
Domain Name System CH 25 Aseel Alturki
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
1 Kyung Hee University Chapter 18 Domain Name System.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Configuring Name Resolution and Additional Services Lesson 12.
Windows Server 2003 DNS 安裝設定與管理維護 林寶森
Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.
1 Domain Name System (DNS). 2 3 How DNS Works Application Transport Internet Network Application Transport Internet Network DNS Resolver Name Server.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
Linux Operations and Administration
Web Server Administration Chapter 4 Name Resolution.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Configuring and Managing the DNS Server Role Lesson 4.
System Administration(SAD622S) Name of Presenter: Shadreck Chitauro Lecturer 18 July 2016 Faculty of Computing and Informatics.
Understand Names Resolution
Chapter 25 Domain Name System.
Module 5: Resolving Host Names by Using Domain Name System (DNS)
IMPLEMENTING NAME RESOLUTION USING DNS
Configuring and Troubleshooting DNS
DNS.
Configuring and Managing the DNS Server Role
Net 323 D: Networks Protocols
Chapter 19 Domain Name System (DNS)
Chapter 25 Domain Name System
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Chapter 25 Domain Name System
Presentation transcript:

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015

University of Tulsa - Center for Information Security History of DNS Before DNS: Hosts.txt file For a good summary of the history of DNS: 3.asphttp:// 3.asp

October 8, 2015 University of Tulsa - Center for Information Security DNS Standard Documents This is listed out on the web. This site contains RFC numbers and RFC drafts. url=/library/en- us/dns/dnsstartpage_2lgl.asp?frame=truehttp://msdn.microsoft.com/library/default.asp? url=/library/en- us/dns/dnsstartpage_2lgl.asp?frame=true

October 8, 2015 University of Tulsa - Center for Information Security What is DNS? Stands for Domain Name System Locator Service that translates user friendly names (such as into addresses that the network can recognize ( ) Primary locator service for Active Directory; therefore considered base service for both Windows 2000 and Active Directory

October 8, 2015 University of Tulsa - Center for Information Security Example Using DNS Alice would ask who was the authoritative for all of the host names at site B. Alice would receive an answer such as “nmServerB” Alice asks nmServerB “What is Bob’s IP address?” nmServerB replies to Alice with Bob’s IP address With Bob’s IP address, Alice can begin direct communication with Bob

October 8, 2015 University of Tulsa - Center for Information Security The Domain Namespace Tree data structure that contains DNS’s distributed database indexed by domain names –Each node has a text label different than all other siblings Domain name : sequence of labels on the path from that node to the root –Data associated with a domain name is stored in a resource record Domain : subtree of the domain namespace

October 8, 2015 University of Tulsa - Center for Information Security The Internet Domain Namespace Top-Level domains : com, edu, gov, mil, net, org, int, arpa, and geographical designations (uk, us, bm, aq) Reading domain names: –lithium.cchem.berkeley.edu – –

October 8, 2015 University of Tulsa - Center for Information Security Delegation Goal: decentralize administration Delegate administrative duties to subdomains –Retain pointers to the sources of the subdomains data –Queries can then be referred to authority for subdomain

October 8, 2015 University of Tulsa - Center for Information Security Name Servers and Zones Programs that store information about the domain namespace are called name servers Name servers have complete information about some part of the domain namespace, called a zone –The name server is then said to have authority over that zone

October 8, 2015 University of Tulsa - Center for Information Security Types of Name Servers Primary master name server reads data for the zone from a file on its host Secondary master gets zone data from the name server that is authoritative for the zone –Zone transfer : when the secondary master retrieves zone data from the primary master

October 8, 2015 University of Tulsa - Center for Information Security Resolvers Clients that access name servers Handles: –Querying the name server –Interpreting responses –Returning the information to the programs that requested it In Windows 2000, a resolver is a set of library routines

October 8, 2015 University of Tulsa - Center for Information Security Resolution Resolution is the process of searching through the domain namespace to find data for which they’re not authoritative –Only requires domain names and addresses of root name servers Root name servers refer requests to the top level domain server the domain name ends in In turn, each name server queried will provide either the answer or refers the request to a “closer” name server

October 8, 2015 University of Tulsa - Center for Information Security Recursion / Iteration Recursive query –Places most of the burden of resolution on a single name server –Queried name server is obliged to respond with the requested data or with an error (can’t just refer query to a different name server) –A name server that receives a recursive query that it can’t answer itself will query the “closest known” name servers Iteration –Name server gives best answer it already knows –If it can’t directly answer the query, the name server will return a query to all name servers listed in its local data

October 8, 2015 University of Tulsa - Center for Information Security Choosing Between Authoritative Name Servers The Microsoft DNS Server uses roundtrip time (RTT) to choose between name servers authoritative for the same zone –RTTs are averaged in after each query –Average initially set very low so that each server will get queried before choosing favorites

October 8, 2015 University of Tulsa - Center for Information Security Mapping Addresses to Names Forward (names to addresses) –Straightforward search through a host table on the name server Reverse (addresses to names) –in-addr.arpa domain –Portion of the Internet domain namespace that uses addresses as labels

October 8, 2015 University of Tulsa - Center for Information Security Caching Saves information about previous resolution processes The Microsoft DNS Server even implements negative caching : if an authoritative name server responds to a query saying the domain name doesn’t exist, this information is cached as well This cache data is given a time to live (TTL) for the data

October 8, 2015 University of Tulsa - Center for Information Security Securing Microsoft Windows 2000 DNS From the NSA Security Recommendations for Windows htmhttp://nsa1. htm

October 8, 2015 University of Tulsa - Center for Information Security Zone Information Security Converting to an Active Directory Integrated Server Zone File and Registry Security

October 8, 2015 University of Tulsa - Center for Information Security Converting to an Active Directory Integrated Server Requires DNS server to be on a Windows 2000 Domain Controller Do a change zone type to Active Directory- integrated –Zone information stored, replicated, and secured in the Active Directory –Choose “only secure updates” option for Dynamic Updates –Recommended

October 8, 2015 University of Tulsa - Center for Information Security Zone File and Registry Security If zone information not stored in Active Directory, should secure the zone files –Folder: “%SystemDirectory%\DNS” –User Groups: System –Recommended Permissions: Full Control All DNS Servers should have the registry secured –Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ DNS” –User Groups: Administrator, System –Recommended Permissions: Full Control for both groups

October 8, 2015 University of Tulsa - Center for Information Security Controlling Zone Transfers Four options for zone transfers –Do not allow zone transfers Can still receive zone transfers and can respond to DNS queries –Allow zone transfers to any server Not recommended –Allow zone transfers to all servers listed in the Name Servers property tab Recommended when zone transfers will only be done within one domain –Allow zone transfers to a specific list of IP addresses Recommended when communicating between protected DNS servers and a DNS server that can be accessed from the internet Never transfer the forward lookup zone containing active directory records to any server that can be accessed via the internet

October 8, 2015 University of Tulsa - Center for Information Security DNS Server Configurations Several deployment methods for DNS in a Win2K environment DNS in an Enclosed Environment DNS with an Internet Presence DNS with an Internet Presence with Reverse Lookup Requirements DNS with Internet Presence with Forward and Reverse Lookup Zone Requirements

October 8, 2015 University of Tulsa - Center for Information Security DNS in an Enclosed Environment External router and firewall should block all DNS traffic (UDP and TCP port 53) DNS zones should be made Active Directory Integrated and only allow zone transfers to servers listed in the Name Servers tab

October 8, 2015 University of Tulsa - Center for Information Security DNS with an Internet Presence Separate the External DNS server from the DNS servers that are being utilized for the Windows 2000 domain Secure zone transfers to a specific list of servers, or no servers. If several servers are used within one DNS domain then control transfers using Name Servers Tab Secure file system and registry Disable all unnecessary services Disable dynamic updates Internet name resolution from internal network can be provided by forwarding requests to external DNS server

October 8, 2015 University of Tulsa - Center for Information Security DNS with an Internet Presence with Reverse Lookup Requirements Disconnected Reverse Lookup Zone –Add a reverse lookup zone to the external DNS server that contains a list of all the internal network IP addresses –Match each IP with a fictitious client name with the appropriate extension. This allows the IPs to be verified. –Recommended Secondary Reverse Lookup Zone –Add a reverse lookup zone to the external DNS server as a secondary zone to the internal network. –Add the external server to the list of valid DNS servers to allow zone transfers to on one internal DNS server. –Configure router & firewall to allow communication between the external and internal DNS servers. –Will show the internal server’s Start of Authority record in reverse lookup zone

October 8, 2015 University of Tulsa - Center for Information Security DNS with Internet Presence with Forward & Reverse Lookup Zone Requirements This configuration is not recommended, but may be necessary. –Exposes server records to internet –Allows attackers to completely map internal network Use a secure tunneling protocol between sites to secure zone transfers and protect the internal DNS server records. (Good) Add only the specific server records that are required for the network to function in the external DNS servers (Worse) Configure one external DNS server’s forward and reverse lookup zones to be secondary zones of one internal DNS server’s zones (Worst)

October 8, 2015 University of Tulsa - Center for Information Security Router and Firewall Settings DNS traffic: port 53 (UDP and TCP) –UDP 53: client queries –TCP 53: zone transfers Zone transfers not necessary outside protected network –TCP 53 should be disabled at internal, external, firewall, and DMZ routers If DNS configured to allow zone transfers between internal and external servers, then the internal router, firewall, and DMZ routers should allow connections on TCP 53 between those two servers only

October 8, 2015 University of Tulsa - Center for Information Security Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.