Microsoft DNS Reviews

Securing DNS Servers

Securing DNS Servers

Area Identify System (DNS) is the first identify registration and determination service utilized in Home windows Server. DNS offers a hierarchically distributed and scalable database; offers identify registration and identify decision providers, and repair location for Home windows shoppers; and locates area controllers for logon. A DNS server is a pc operating the DNS Server service that gives these area identify providers.

The widespread threats to DNS servers are:

Denial-of-service (DoS) assaults: DoS assaults happen when DNS servers are flooded with recursive queries in an try to stop the DNS server from servicing reliable shopper requests for identify decision. A profitable DoS assault may end up in the unavailability of DNS providers, and within the eventual shut down of the community.

Footprinting: Footprinting happens when an intruder intercepts DNS zone info. When the intruder has this info, the intruder is ready to uncover DNS domains, pc names, and IP addresses that are getting used on the community. The intruder then makes use of this info to determine on which computer systems he/she needs to assaults.

IP Spoofing: After an intruder has obtained a legitimate IP tackle from a footprinting assault, the intruder can use the IP tackle to ship malicious packets to the community, or entry community providers. The intruder also can use the legitimate IP tackle to switch knowledge.

Redirection: A redirection assault happens when an intruder is ready to make the DNS server ahead or redirect identify decision requests to the wrong servers. On this case, the wrong servers are beneath the management of the intruder. A redirection assault is achieved by an intruder corrupting the DNS cache in a DNS server that accepts unsecured dynamic updates.

DNS safety suggestions

A couple of DNS safety suggestions are listed right here:

  • Your DNS servers shouldn’t reply to call decision requests from any unauthorized networks. DNS servers ought to reply to requests from inner interfaces solely.
  • To stop different servers from discovering DNS zone data that include necessary info, zone transfers must be focused at particular DNS servers.
  • To guard your DNS servers from spoofing of DNS data, you must use the one safe dynamic updates choice for dynamic replace.
  • To additional improve safety for DNS zone information knowledge, think about using Lively Listing Built-in zones in case you are utilizing Lively Listing. An Lively Listing-integrated zone is a zone that shops its zone knowledge in Lively Listing. DNS zone information aren’t used to retailer knowledge for these zones. An Lively Listing-integrated zone is an authoritative main zone. Lively Listing-integrated zones benefit from the security measures of Lively Listing.
  • You need to contemplate configuring the Safe cache towards air pollution choice to additional shield your DNS servers from an intruder that may be trying to pollute the DNS cache with the wrong info.

To allow solely safe dynamic updates,

  1. Click on Begin, Administrative Instruments, after which click on DNS to open the DNS console.
  2. Within the console tree, right-click the DNS zone that you simply need to configure, after which choose Properties from the shortcut menu.
  3. Confirm that the zone sort configured for the zone on the Basic tab is Lively Listing-integrated zone.
  4. Within the Dynamic Updates drop-down record field, choose the Safe solely choice
  5. Click on OK.

To configure the Safe cache towards air pollution choice,

  1. Click on Begin, Administrative Instruments, after which click on DNS.
  2. Within the console tree, right-click the DNS server that you simply need to configure, after which choose Properties to open the DNS Server’s Properties dialog field.
  3. Click on the Superior tab.
  4. Within the Server Choices record, click on the Safe Cache Towards Air pollution checkbox.
  5. Click on OK

For DNS zones that aren’t saved in Lively Listing, it is strongly recommended that yu implement the next safety methods:

  1. Change the permissions on the zone file or on the folder that accommodates the zone information to solely permit the Full Management permission to the System group.
  2. Within the Registry, in HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDNS, safe the DNS registry keys.

For DNS servers that don’t reply to shopper requests immediately, and who aren’t DNS forwarders, implement the safety technique listed under. DNS forwarders are the DNS servers used to ahead DNS queries for various DNS namespace to these DNS servers who can reply the question. A DNS server is configured as a DNS forwarder once you configure the opposite DNS servers to direct any unresolved queries to the precise DNS server:

  • Disable recursion: If a DNS server can’t discover the queried identify in its zone info, or in its cache; the DNS server performs recursion to resolve the identify. That is the default configuration for DNS servers. Recursion is the method whereby which the DNS server queries different DNS servers for the shopper.

To disable recursion,

  1. Click on Begin, Administrative Instruments, after which click on DNS to open the DNS administration console.
  2. Within the console tree, right-click the DNS server that you simply need to configure, after which choose Properties to open the DNS Server’s Properties dialog field.
  3. Change to the Superior tab.
  4. Within the Server Choices listing, allow the Disable recursion (additionally disables forwarders) checkbox in order that the DNS server not performs recursion to resolve shopper queries.
  5. Click on OK.

For DNS servers that don’t resolve Web names, implement the safety technique listed under:

  • Configure the basis hints to level to solely these DNS servers in your root area. Root hints is a set of useful resource data which the DNS Server service makes use of to find DNS servers who’re authoritative for the basis of the DNS area namespace construction. In case you are utilizing Home windows Server DNS, a preconfigured root hints file named Cache.dns already exists. Cache.dns incorporates the addresses of root servers within the Web DNS namespace, and is preloaded to reminiscence when the DNS Server service initiates. If you wish to create your personal customized root hints, then you need to delete the Web root servers and add the right info in your setting.

To configure the basis hints to level to solely these DNS servers in your root area,

  1. Click on Begin, Administrative Instruments, after which click on DNS to open the DNS administration console.
  2. Click on the Motion menu merchandise, and choose the Properties command.
  3. Change to the Root Hints tab.
  4. If you wish to add a root server, click on the Add button and enter the DNS server identify and IP tackle that must be added to the record.
  5. If you wish to delete an present root server, choose the precise server after which click on the Take away button.
  6. Click on OK.

Microsoft specifies three ranges of implementing DNS safety. The high-level safety configuration offers probably the most safety for DNS servers. The high-level safety configuration consists of a DNS server hosted on a website controller, with DNS zone info being saved in Lively Listing.

A number of high-level safety configuration traits are listed right here:

  • Inner DNS servers are usually not uncovered to the Web.
  • DNS servers are hosted on area controllers.
  • Lively Listing-integrated zones are the one zone sort configured.
  • Zone knowledge is saved in Lively Listing, and solely safe dynamic updates are allowed.
  • DNS zone switch solely takes place to particular IP addresses

Primary Safety Measures for DNS Servers

Primary safety measures for securing the DNS server position are listed right here:

  • Bodily safe your DNS servers.
  • The NTFS file system ought to be utilized to guard knowledge on the system quantity.
  • Apply and keep a robust virus safety answer.
  • Software program patches ought to be stored updated.
  • If relevant, packages ought to solely be allowed to be put in once they have trusted sources.
  • All pointless providers and purposes not getting used on DNS servers must be deleted.
  • Safe the Administrator and Visitor well-known accounts.

Suggestions for Securing DNS Servers Hooked up to the Web

A couple of suggestions for securing DNS servers which are hooked up to the Web are listed right here:

  • DNS servers which are hooked up to the Web ought to be positioned in a fringe community in order that inner community assets could be secured from the general public Web.
  • Use a firewall answer to configure entry guidelines and packet filtering to filter each supply and vacation spot addresses and ports.
  • Take away all pointless providers from these DNS servers.
  • Restrict the variety of DNS servers which are allowed to start out a DNS zone switch. Zone switch also needs to solely be allowed to particular IP addresses
  • Think about using IPSec to safe zone replication visitors.
  • Think about including a second DNS server on a unique subnet to additional increase safety from DoS assaults.
  • Repeatedly monitor your DNS servers and the DNS log information.

Suggestions for Securing DNS Servers not Hooked up to the Web

A couple of suggestions for securing DNS servers that aren’t hooked up to the Web are listed right here:

  • Entry to inner DNS servers from the Web ought to be prohibited.
  • To make use of the extra security measures of Lively Listing, use Lively Listing-integrated zones because the DNS zone sort.
  • Permit solely safe dynamic updates.
  • Restrict the variety of DNS servers which might be allowed to obtain zone switch knowledge.
  • Often monitor your DNS servers and the DNS log information.

Understanding the DNS Safety Ranges

Microsoft has outlined three primary ranges of DNS safety (tips) to help you in implementing a DNS safety technique for a Home windows Server DNS infrastructure.

  • Low-level safety: Low-level safety ought to be used when there isn’t a menace to DNS knowledge being intercepted. Microsoft describes low-level safety as being the default configuration settings when Home windows Server DNS is put in.

The traits of the low-level safety configured on DNS servers are:

  • The DNS infrastructure and namespace is totally open to, and uncovered to the Web.
  • Port 53 is open in your firewall for supply and vacation spot addresses.
  • The DNS servers in your DNS surroundings all use normal DNS identify decision.
  • The DNS servers are configured with root hints that time to the basis servers for the Web.
  • DNS servers which have a number of IP addresses are configured to pay attention for DNS queries on all interfaces.
  • The DNS servers are allowed to switch zone knowledge to any server that requests a replica of zone knowledge.
  • All of your DNS zones can settle for dynamic updates from DNS shoppers. Dynamic updates is allowed on the DNS server, and shoppers are free to replace their very own useful resource data at any time.
  • The configuration setting which prevents cache air pollution is disabled in your DNS servers.
  • Medium-level safety: The medium-level safety configuration supplies extra safety than what low-level safety provides. In medium-level safety, zone knowledge could be saved in main and secondary zone information. Nevertheless, the Lively Listing security measures which can be found when Lively Listing-integrated zones are used are usually not obtainable with the medium degree of DNS safety.

The traits of the medium-level safety configured on DNS servers are:

  • The DNS infrastructure and DNS namespace’s publicity to the Web is restricted. Specified visitors is permitted to and from the DNS server.
  • DNS zone switch is restricted to solely the DNS servers that are listed within the NS data for the actual zone(s) being transferred. The listing might be seen on the Identify Servers tab.
  • DNS zones don’t settle for dynamic updates.
  • The interior DNS servers are specified to make the most of an outlined record of forwarders.
  • DNS servers which have a number of IP addresses are set as much as pay attention for DNS queries on solely particular IP addresses.
  • The default configuration setting which prevents cache air pollution is enabled in your DNS servers.
  • Web DNS root hints solely exist on the DNS servers exterior to your firewall.
  • The one exterior DNS servers allowed to speak together with your inner DNS servers are these DNS servers for which you’ve authority.
  • Excessive-level safety: The high-level safety configuration has the identical traits as these provided by the medium-level safety configuration, however high-level safety consists of further safety enhancements. The primary distinction between the 2 DNS safety ranges is that the high-level safety configuration features a DNS server and a website controller. DNS zone info is saved in Lively Listing.

The traits of the high-level safety configured on DNS servers are:

  • Your inner DNS servers don’t talk with Web servers.
  • A personal inner root namespace is carried out, and is authoritative for all DNS zones.
  • The DNS servers are hosted on area controllers.
  • The DNS zone sort configured for zones is Lively Listing-integrated zones. Solely approved customers are capable of create, delete, and alter the DNS zones.
  • DNS zone switch is restricted to particular IP addresses.
  • The useful resource data saved in Lively Listing-integrated zones have DACLs that solely allow sure customers to create, delete, and alter zone knowledge.
  • The one dynamic updates allowed are safe dynamic updates. Because of this zone knowledge should be saved in Lively Listing.
  • The basis hints file for inner DNS servers level solely to inner DNS servers that include host root info for the interior namespace.
  • The DNS servers are configured to pay attention for DNS queries on solely a selected set of IP addresses.

Understanding the DNS Safety Extensions Protocol

The DNS Safety Extensions (DNSSEC) protocol consists of a lot of extensions to DNS that make it attainable for useful resource data to be authenticated. The DNS Safety Extensions (DNSSEC) protocol works through the use of public key cryptography with digital signatures. It offers the means for the get together that requested info or useful resource data to authenticate the supply of that particular info. The DNSSEC protocol was designed to offer safety to the Web from particular kinds of assaults. The protocol can confirm that a question response could be tracked again to a supply that’s thought-about trusted. With DNSSEC, every DNS zone has a private and non-private key pair. The important thing pair is used to encrypt and decrypt digital signatures.Along with the important thing pair, DNSSEC makes use of the next data:

  • NXT key: Creates a collection of certificates house owners.
  • KEY document: Shops the general public key info for a DNS zone.
  • SIG document: Retailer a digital signature that’s related to a set of data.

The method that happens to resolve queries when DNSSEC is used is printed under:

  1. The resolver queries the basis server to find out the DNS server that’s authoritative for the precise zone. The resolver additionally wants to find out the general public key for the precise zone. For the question, the resolver makes use of the general public key of the basis server.
  2. Subsequent, the resolver sends the question to the DNS server that’s authoritative for the precise zone.
  3. When the authoritative DNS server obtains the question, it sends the requested info (useful resource report) to the resolver with the SIG document that’s related to the precise zone.
  4. When the resolver obtains the useful resource document and accompanying SIG report, it makes use of the general public key to authenticate the useful resource data.
  5. The knowledge acquired from the authoritative DNS server is accepted if the resolver is ready to authenticate the useful resource report and SIG.
  6. The knowledge acquired from the authoritative DNS server is discarded if the resolver is unable to authenticate the useful resource document an SIG.

DNS Safety Suggestions for an Exterior DNS Implementation

The DNS safety suggestions for an exterior DNS implementation are summarized under:

  • You need to harden your DNS servers, and in addition place these servers in a DMZ or in a fringe community.
  • Make sure that entry guidelines and packet filtering is outlined in your firewalls to regulate each supply and vacation spot addresses and ports.
  • Set up all the newest service packs in your DNS servers, and take away all pointless providers from these servers.
  • Attempt to remove all single factors of failure.
  • It is strongly recommended to host your DNS servers on totally different subnets. Additionally make sure that your DNS servers have totally different configured routers.
  • Make sure that zone switch is simply allowed to particular IP addresses.
  • Safe zone switch knowledge through the use of VPN tunnels or IPSec.
  • You need to use a stealth main server to replace secondary DNS servers that are registered with ICANN.
  • The next suggestions exist for Web dealing with DNS servers:
    • Disable recursion
    • Disable dynamic updates
    • Allow safety towards cache air pollution
  • Monitor your DNS logs. DNS logging is enabled by default. The DNS service generates DNS logging info that you should use to watch for assaults in your DNS servers. To view DNS logging info:
  • 1. Click on Begin, Administrative Instruments, after which click on DNS to open the DNS console.
  • 2. Within the console tree, increase Occasion Viewer.
  • three. Click on DNS Occasions, to show the DNS logging info within the particulars pane of the DNS console.

DNS Safety Suggestions for an Inner DNS Implementation

The DNS safety suggestions for an inner DNS implementation are summarized under:

  • Attempt to get rid of all single factors of failure.
  • You need to by no means allow entry to your inner DNS servers from the Web.
  • Use Lively Listing-integrated zones in order that zone knowledge is saved in Lively Listing and Lively Listing replication is used to duplicate zone knowledge between DNS servers. Zones that retailer their knowledge in Lively Listing can use the security measures offered by Lively Listing.
  • Be sure that solely safe updates are allowed in your Lively Listing-integrated zones.
  • You need to restrict the variety of DNS servers which are allowed to obtain zone switch knowledge.
  • If you wish to improve safety on your inner DNS infrastructure, you need to use a separate, inner namespace.

Managing DACLs on DNS servers Configured as Area Controllers

When DNS servers are configured as area controllers, you need to use DACLs to regulate permissions for Lively Listing customers and teams for the DNS Server service. It is suggested to restrict and alter the default customers and teams, and their related permissions for the DNS Server service to solely these customers and teams, and permissions which are crucial.The DACL of a DNS server configured as a website controller may be managed by way of:

  • The Lively Listing object
  • The DNS console

The default customers and teams, and their related permissions that are created for DNS servers operating as a website controller:

  • Enterprise Admins: Full Management, Learn, Write, Create All Youngster objects, and Delete Baby objects.
  • Enterprise Area Controllers: Particular Permissions.
  • System: Full Management, Learn, Write, Create All Youngster objects, and Delete Baby objects
  • Area Admins: Full Management, Learn, Write, Create All Baby objects, and Delete Youngster objects.
  • DnsAdmins: Full Management, Learn, Write, Create All Baby objects, and Delete Youngster objects.
  • Directors: Learn, Write, Create All Baby objects, and Particular Permissions.
  • Authenticated Customers: Learn, and Particular Permissions.
  • Creator Proprietor: Particular Permission
  • Pre-Home windows 2000 Suitable Entry: Particular Permissions

Managing DACLs on DNS Zones Saved in Lively Listing

It is strongly recommended to restrict and alter the default customers and teams and their related permissions for DNS zones to solely these customers and teams, and permissions which are mandatory.The default customers and teams, and their related permissions that are created for DNS zones saved in Lively Listing are:

  • Enterprise Admins: Full Management, Learn, Write, Create All Baby objects, and Delete Baby objects.
  • Enterprise Area Controllers: Full Management, Learn, Write, Create All Baby objects, Delete Youngster objects, and Particular Permissions
  • System: Full Management, Learn, Write, Create All Baby objects, and Delete Baby objects
  • Area Admins: Full Management, Learn, Write, Create All Youngster objects, and Delete Youngster objects
  • DnsAdmins: Full Management, Learn, Write, Create All Baby objects, and Delete Baby objects.
  • Directors: Learn, Write, Create All Youngster objects, and Particular Permissions.
  • Authenticated Customers: Create All Youngster objects
  • Everybody: Learn, and Particular Permissions
  • Creator Proprietor: Particular Permissions
  • Pre-Home windows 2000 Suitable Entry: Particular Permissions

Managing DACLs on DNS Useful resource Data in Lively Listing

If DNS is built-in with Lively listing, you possibly can handle the DACLs on the DNS useful resource data. It is very important restrict each consumer and group permissions to solely these permissions that are essential.The default customers and teams, and related permissions on useful resource data in Lively Listing are listed under:

  • Enterprise Admins: Full Management, Learn, Write, Create All Baby objects, and Delete Youngster objects.
  • Enterprise Area Controllers: Full Management, Learn, Write, Create All Youngster objects, Delete Youngster objects, and Particular Permissions
  • System: Full Management, Learn, Write, Create All Youngster objects, and Delete Youngster objects
  • Area Admins: Full Management, Learn, Write, Create All Baby objects, and Delete Youngster objects
  • DnsAdmins: Full Management, Learn, Write, Create All Baby objects, and Delete Youngster objects.
  • Directors: Learn, Write, Create All Youngster objects, and Particular Permissions.
  • Authenticated Customers: Create All Youngster objects
  • Everybody: Learn, and Particular Permissions
  • Creator Proprietor: Particular Permissions
  • Pre-Home windows 2000 Suitable Entry: Particular Permissions

Methods to safe DNS servers

The strategies which you need to use to safe DNS servers:

  • In case you are utilizing DNS zone information to retailer zone knowledge, change the zone file permissions or the folder’s permissions that shops the zone information to solely permit Full Management to the System group.
  • The DNS registry keys saved in HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDNS must be secured as nicely.
  • In case you have a DNS server that isn’t configured to resolve Web names, you need to configure the basis hints to level to these DNS servers internet hosting the basis area.
  • In case you have a DNS server that isn’t configured with forwarders, and the DNS server doesn’t reply to any DNS shoppers immediately, then it is suggested that your disable recursion for the DNS server.
  • Configure the Safe cache towards air pollution choice to guard the DNS server from an intruder that is perhaps trying to pollute the DNS cache with the wrong info.
  • Restrict the variety of IP addresses that the DNS server listens to for DNS queries

How you can configure the basis hints to level to these DNS servers internet hosting the basis area

  1. Click on Begin, Administrative Instruments, after which click on DNS.
  2. Within the console tree, right-click the DNS server that you simply need to configure, after which choose Properties to open the DNS Server’s Properties dialog field.
  3. Click on the Root Hints tab.
  4. If yo need to add a root server, then click on the Add button and enter the identify and IP handle of the record.
  5. If you wish to edit an present root server, then click on the Edit button.
  6. If you wish to copy root hints from the DNS server, click on the Copy From Server button.
  7. If you wish to take away an present root server, choose the basis server, after which click on the Take away button.
  8. Click on OK.

Find out how to disable recursion

  1. Click on Begin, Administrative Instruments, after which click on DNS to open the DNS console.
  2. Within the console tree, right-click the DNS server that you simply need to disable recursion for, after which click on Properties from the shortcut menu.
  3. When the DNS server Properties dialog field opens, click on the Superior tab.
  4. Within the Server Choices record, click on the Disable Recursion checkbox.
  5. Click on OK.

The best way to configure the Safe cache towards air pollution choice

  1. Click on Begin, Administrative Instruments, after which click on DNS.
  2. Within the console tree, right-click the DNS server that you simply need to configure, after which choose Properties to open the DNS Server’s Properties dialog field.
  3. Click on the Superior tab.
  4. Within the Server Choices listing, click on the Safe Cache Towards Air pollution checkbox.
  5. Click on OK.

The way to restrict the variety of IP addresses that the DNS server listens to for DNS queries

  1. Click on Begin, Administrative Instruments, after which click on DNS.
  2. Within the console tree, right-click the DNS server that you simply need to configure, after which choose Properties from the shortcut tab
  3. Click on the Interfaces tab.
  4. Choose the Solely the next IP addresses choice.
  5. Specify the IP addresses that the DNS server ought to take heed to within the IP Handle area.
  6. Click on OK.

Tips on how to allow safe dynamic updates

  1. Click on Begin, Administrative Instruments, after which click on DNS to open the DNS console.
  2. Within the console tree, right-click the DNS zone that you simply need to configure, after which choose Properties from the shortcut menu.
  3. Confirm that the zone sort configured for the zone on the Basic tab is Lively Listing-integrated zone.
  4. Within the Dynamic Updates drop-down record field, choose the Safe solely choice
  5. Click on OK.

Learn how to restrict zone transfers

  1. Click on Begin, Administrative Instruments, after which click on DNS to open the DNS console.
  2. Within the console tree, right-click the DNS zone that you simply need to configure, after which choose Properties from the shortcut menu.
  3. When the DNS Zone’s Properties dialog field pens, click on the Zone Switch tab.
  4. If you wish to disable zone transfers, uncheck or clear the Permit Zone Transfers checkbox.
  5. If you wish to permit zone switch, choose the Permit Zone Transfers checkbox.
  6. It’s strongly advisable to not choose the To Any Server choice as a result of zone transfers can be allowed to any server that requests a replica of zone knowledge.
  7. The Solely To Servers Listed On The Identify Servers Tab choice solely offers medium-level DNS safety.
  8. It is suggested to pick the Solely To The Following Servers choice which offers probably the most safety.
  9. After choosing the Solely To The Following Servers choice, specify which DNS servers, based mostly on IP addresses, can request zone transfers.
  10. Click on OK.

About the author

Admin

Read More