Securing Windows 2000 DNS by design (Part 1)
This white paper will focus on the importance of securing your Windows network's DNS service and the features, functionality and security of the DNS server by using design. Several deployment methods for DNS in a Windows 2000 environment will be covered and defined. This document is intended to provide clarification when enabling the operational requirements of the organizations designing secure DNS. Knowing that windows 2000 and above relies heavily on the functioning of DNS, your focus should be on securing your valuable DNS server. Windows DNS is one of the fundamental services that are used by all windows 2000 networks that conform to the domain or forest tree model. It is a good idea to keep this service as secure as possible as most of your server service like Microsoft ISA, exchange 2000, and any other communication software has serious dependencies on the flawless execution of the DNS service.
Huge issues known in the past attributed to DNS have resulted in the fortune 500 companies tightening the DNS BIND (Berkeley Internet Name Domain) holes being successfully blocked from being exploited. All though BIND refers to UNIX it could of just as easily been windows or the flavor of the day DNS system. In early 2001 over 40% of the top companies had the DNS vulnerability. This information was published on hack sites as soon as it was release and egg throwers were quick to leverage the opportunity and hackers scrambled to exploit a fortune 500 DNS vulnerability. Recommendation: do not become a statistic, take action. Keep abreast with the latest patches and test the patches on a test lab before going live.
DNS fail over strategy.
Redundancy is paramount for any DNS implementation. A multitude of applications rely on DNS for name resolution in multiplatform environments. HTTP, SMTP and many other windows applications require DNS as a vital "life source" and this is why organizations should look at a fail over strategy when implementing DNS.
A robust design should include at least two internal DNS servers for every set of 500 users the DNS servers should be distributed throughout the company as a load balancing strategy and using performance monitor you should identify the segments that need their own DNS servers. Furthermore if the segments are separated by WAN links it will be advisable to have a DNS server at each side to prevent clients from traveling over slow WAN links to resolve domain names. Secondary DNS servers should be setup on the local DHCP/WINS server at each site.
This simple strategy not only spread the risk of a central DNS server going down but also speeds up resolution. As a further strategy it may be advisable to install a good HIDS on the DNS server incase and intruder is lurking excellent tried and tested software would be LAN guard by GFI. It is a good idea to spread your DNS servers over different subnets as an interesting lesson can be learnt from a historical attack on Microsoft's DNS servers in the last 5 years.
Incorporate security into the DNS design
When designing the DNS system it becomes important that security is hard coded into the design. This method of configuration ensures that if policies are not followed failsafe strategies are in place to protect the organizations best interest.
- Ensure that the DNS server is placed behind a firewall and that a DNS server is not run with Active Directory services on the Internet.
- Use DNS forwards and ISP DNS servers as a means of getting DNS resolution this greatly reduces organizational DNS risk.
- When using Active Directory-integrated domains always make use of private domain names by doing this the DNS request will not be forwarded to DNS servers on the Internet.
- Use proxy servers for clients DNS requests on the Internet.
- Ensure that private IP addresses are used instead of public IP addresses. This strategy minimizes risk.
Secure the DNS Design
Typically DNS designs comprise of a primary DNS server and multiple client DNS servers known as mater slave. Primary DNS servers should be hosted by the organization and further client DNS servers reference off the primary master DNS server. Your primary DNS server should have router and firewall protection as would be founding a DMZ environment.
Split DNS Design
Split DNS design employs the separation of the internal DNS servers from the external DNS servers. Internal servers only contain internal DNS entries and the external server only contains external entries respectively. Intruders look for DNS servers that are not split and expose internal hosts to the Internet by reflecting internal IP addresses that the intruder can directly address. This information is then used to plot the networks coordinative points and is used like a tool to find the weak spot where the intruder can gain entry.
DNS policies and procedures that facilitate and enforce strong security governance.
Prior to implementing any new network service such as DNS a structured security policy must be implemented. Policies and procedures are written to ensure a high level of security and compliance and this system quality assures that the level of security does not decrease on any occasion. Your DNS policy should include a few facts that I have stated below.
- Define the backup strategy for the DNS server
- State the appropriate authorized person permissible for DNS administration.
- Define how new DNS records should be added.
- Define security settings and update procedures and how they should be applied.
- Predetermine the fail/over strategy and how and when it should be implemented.
- Formulate zone transfers and the appropriate authority's controls necessary, as this is a very weak security area if badly managed within the DNS windows framework.
- Ensure that the latest service packs are installed.
- Include the log maintenance and monitoring in the procedure.
- Include DNS server performance monitoring in the procedure.
- Ensure that all changes are well documented and that any updates are labed before being applied to a live environment.
- The original configuration should be documented and kept without amendments this will help in the rebuild stage if necessary.
After writing the policy it is up to your IT department to enforce it. A comprehensive policy and procedure is all very well. To ensure that it is applied to the DNS server as part of the security strategy is another matter. Organizations occasionally fail to see the value in following a comprehensive policy with points such as log monitoring and performance checks. This is the main reason that those same organizations are down for several days due to "technical faults". To ensure that your organization does not fall into the same painful trap ensure that your DNS documentation is holistic and always updated.
DNS and its functions.
DNS is used by active directory to locate domain controllers and to resolve IP addresses into FQDN's (fully qualified domain names). It is not stressed enough that without a fully functional DNS structure active directory will not function as intended. There is various available security settings for that can be manipulated when using Windows 2000 Domain Name System (DNS) Server Service. In many cases the leverage is in the how the DNS has been designed a secured.
Note recommendations are made through out this white paper and in order to follow them through, part of the process undertakes the task of running with the recommendation in a test lab environment. This quality assurance process should shadow your production system closely. After you are happy with the process of the recommendation then it is up to you to transfer the application of the theory onto your production environment.
Windows 2000 security features.
DNS in an Enclosed Environment
- When running DNS in an enclosed environment it is only required that the DNS servers and operating systems be secured.
- The external Router interface and Firewall external firewall interface should block any DNS traffic that is inbound on UDP and TCP port 53.
- DNS zones should be Integrated and only allow zone transfers to servers listed in the Name Servers tab.
DNS on the Internet
- Separate external DNS server from the internal DNS servers that are used for the Windows 2000 domain.
- Active Directory Integrated DNS servers should be used on the internal network.
- Zone transfers should be performed on Internal DNS servers
- Secure zone transfers on the external servers to a specific list of servers.
- Secure the file system
- Secure the registry
- Disable all unused services on External DNS servers
- Disable dynamic updates on External DNS servers.
Resolving Internet names can be accomplished by the Internal DNS server without compromising security. You can do this by forwarding DNS queries to the External DNS server.
If you would like to know where the user is coming from when making a request on your DNS server it is necessary that your external DNS server has reverse DNS lookup Zones enabled. This system is used to verify where the intruder or vaster is coming from. This aspect of security is very necessary if you wish to cut down the time it takes to resolve the name of the intruder in order to take action.
Enabling a reverse lookup in order to secure the internal network.
Strategy 1. To limit the intruder from correctly plotting the route to the sheltered Network it is recommended that a reverse lookup zone to the external DNS server be enabled. This will be the server that contains a catalog of all the internal network IP addresses. You should then match the IP address with a Honey-net or honey-pot machine. This typically is a virtual system that exists solely for the purpose of capturing intruder's trends and to associate the possible tools that each intruder may be using.
Figure A: the picture above depicts strategy 1
Strategy 2. To show the SOA (start of authority) record within the reverse lookup zone it is recommended that a reverse lookup zone be added to the external DNS server as a secondary zone belonging to the internal network.
- The external server needs to be added to the list of valid DNS servers to allow for zone transfers to on one internal DNS servers.
- The router and firewall need to be configured to allow communication between the DNS servers.
- No other services other than DNS should be running on the Internal DNS server.
Figure B: the diagram above depicts strategy 2
Warning: be aware that the scenario where a DNS server connected to the internet that has a forward and Reverse Lookup Zone may pose a problem. The reason being that while two Windows 2000 forest/trees may be linked via the Internet. In doing so the server records may be exposed to the Internet. There is nothing stopping an intruder from sniffing this information and plotting the organizations internal network by impersonation and sending valid queries to the DNS server.
Figure C: the diagram above depicts the two windows domains and how the DNS resolution takes place over the internet posing the risk.
The counter approach to this scenario would be to use...
- A secure tunneling protocol connecting the two sites over the internet. This will secure zone transfers
- Precise server records that is required for the network to function only.
- A configuration that supports one external DNS server forward and reverse lookup zone configured as secondary zones of one internal DNS server's zones.
These are counters and only secure your server, if done in conjunction and looked upon as a holistic DNS securing strategy. It is recommended that DNS transmission from tree or forest be reserved for private networks like VPNs and WANs rather than having the information latently being transmitted on the internet. Transmitting information over the internet has major disadvantages as attackers with lots of time tend to lurk and wait for the opportune moment that arrives when the organization is least expecting an attack. In order to prevent such an attack on your network it is very important that all of you data be it DNS, Mail, HTTP or information that may seem trivial be encrypted or sent within a private tunnel that intruder will find extremely challenging to crack.
If the above basic steps are followed you will find that fewer attacks will be attempted on an organization security. It is a strong belief in the security world that accidents or attacks happen when the security professional is careless. Neglect is a strong source of vulnerability and is the major reason that DNS is a soft spot. Once the Windows DNS system is working many administrators tend not to touch it for fear of breaking it. They stick to the cliche if it ain't broke don't fix it but I maintain that if it ain't updated it is broke. Keep abreast with all vulnerabilities and patch the vulnerabilities that are exposed to the outside world like DNS with the highest priority. This type of service is very well known in the intruder world and new ways of exploiting bugs in software come out every day.
This white paper demonstrates the advantages of having a strong design that compliments your security strategy. Security professionals should uphold the integrity of their DNS machines so that they are secured and stable. Many patches and hot fixes are released constantly and keeping up-to-date with these will increase your level of protection by at least two fold. A great tool that can be used on your machines that can look for vulnerabilities and keep you abreast of vulnerabilities is LANguard Network Security Scanner by GFI. This tool takes the pain out of the task keeping a system manageable and cost effective. Looking for additional vulnerabilities on security websites like WindowSecurity.com also helps you to keep up to date with the latest security fads keep it up because if you are not prepared to rest assured there are an abundance of intruders that are. Ensure that you don't become a statistic do something about the way your DNS environment is designed.