Presentation is loading. Please wait.

Presentation is loading. Please wait.

(DNS – Domain Name System)

Published byΜαγδαληνή Μαρκόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "(DNS – Domain Name System)"— Presentation transcript:

1 (DNS – Domain Name System)
Securing DNS (DNS – Domain Name System) Lecture 11 1

2 DNS in Active Directory NW
DNS first design open protocol Vulnerable to hackers Better attack prevention with WS2008 3 Ways Name resolution: Names to IP addresses Service Location for clients: DC location, for users to authenticates and access NW services Resource Location: NW resources (Web servers, servers, etc.)

3 Common Attacks Foot Printing Redirection Denial of Service (DoS)
IP Spoofing DNS Cache Poisoning

4 Common Attacks Footprinting
DNS zone data obtained by an attacker provides the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources. Begins of attack by using this DNS data to footprint NW Usually DNS domain and computer names indicate the function or location of a domain or computer . Attacker takes advantage of DNS principle to learn the function or location of domains and computers in NW

5 2) Redirection Attacker able to control/redirect queries for DNS names to servers. Method: attempt to pollute DNS cache (Cache Poisoning) of a DNS server with erroneous DNS data that may re-direct future queries to servers controlled by attacker Example: query originally made for example.microsoft.com and a referral answer provided a record for a name outside microsoft.com domain

6 Common Attacks (cont.) 3) Denial of Service (DoS)
NW service availability denied by flooding one/more DNS servers with recursive queries NW services use DNS will be unavailable for NW users 4) IP spoofing After footprinting NW using DNS, attacker use valid (source in created IP packets by the attacker 5) DNS cache poisoning Tricks a Domain Name Server to make it believe it has received authentic information when, it is not the case. Once poisoned, information is generally cache for some time Effect on users of DNS server @: means address 6

7 Securing DNS Five main areas when determining your DNS design security
DNS namespace Internal DNS servers and external DNS in this DNS design such that: Internal DNS namespace = subdomain of external DNS namespace Queries for external names by internal hosts: internal server forwards queries for external names to the external DNS servers Packet-filtering firewall allowing UDP and TCP port 53 communication between external DNS server and internal DNS server TCP/UDP Port 53 Common Use: DNS Service is typically used to convert between URL's and IP Addresses. 7

8 Securing DNS (cont.) 2) DNS Server service Interfaces
Limit the the DNS Server listens to the used by its DNS clients as their preferred DNS server Cache Anti-pollution The Secure cache against pollution option prevents an attacker from successfully polluting the cache of a DNS server. Disable recursion Recursion can be used by attackers to deny the DNS Server service 8

9 Securing DNS (cont.) 3) DNS zones
Make Computers securely update DNS data. Store DNS zones in AD and use the secure dynamic update feature DNS zone updates to only those Computers that are authenticated and joined to the AD domain where DNS sever is And only to specific security settings defined in the ACLs for the DNS zone 9

10 Securing DNS (cont.) 4) DNS Resource Records (RRs)
Review the RR settings and apply AD security settings. Manage the discretionary access control list (DACL) on DNS resource records stored in AD DACL allows control permissions for the AD users and groups that may control the DNS resource records Example Admin: Read, Write, Create All Child objects DNSAdmin: Full Control, Read, Write, Create All Child objects, Delete Child objects 10

11 Securing DNS (cont.) 5) DNS clients
Control the DNS server IP addresses used by DNS clients Static IP addresses for the preferred DNS server and alternate DNS servers for a DNS client If DNS server via DHCP make sure DHCP server is secure Control which client accesses to DNS server If a DNS server is configured to listen only on specific control that only DNS clients configured to use these

12 Securing DNS Zone Replication
Multiple copies DNS data/zone information Synchronization one zone replication (traditional) bw primary and secondary Servers WS 2003: zone information shared via AD Avoid expose DNS data via Zone Replication (ZR) zone transfer used by attackers of critical NW servers can be used by attacker) Bw: between 12

13 Securing DNS Zone Replication (cont.)
AD Replication: traffic encrypted, and DCs authenticate to e/o for ensuring destination of ZR traffic Restrict Zone transfer: if AD Integrated DNS not used Secure cache against pollution: by default. DNS places referral names in cache only if in same domain as query e/o: each other 13

14 Securing DNS Zone Replication (cont.)
Encrypt replication traffic GW-2-GW VPN tunnel between DNS Servers IPSec transport mode policy: triggered when primary/secondary Servers communicate Secure dynamic registration modification restricted Secure DNS clients static in DNS configuration or security can depend on DHCP Server → DoS, IP spoofing Configure DNS to listen only authorized GW: gateway 14

15 References af12c75a mspx?mfr=true Designing Security for MS WS 2008: Roberta Bragg

Download ppt "(DNS – Domain Name System)"

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
Understanding Active Directory

Understanding Active Directory
Windows Server 2008 Chapter 8 Last Update 2012.05.31 1.0.0.

Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
SECURITY BASELINES -Sangita Prabhu.

SECURITY BASELINES -Sangita Prabhu.
Name Resolution Domain Name System.

Name Resolution Domain Name System.
1 Objectives Discuss the basics of the Domain Name System (DNS) and its terminology Configure DNS clients Install a standard DNS server on Server 2008.

1 Objectives Discuss the basics of the Domain Name System (DNS) and its terminology Configure DNS clients Install a standard DNS server on Server 2008.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Similar presentations

Ads by Google