Configure ISA to enable a DNS intrusion detection filter

Windows 2000 relies heavily on the functioning of DNS, your focus should be on securing your valuable DNS server. Windows DNS is one of the fundamental services that are used by all windows 2000 networks that conform to the domain or forest tree model. It is a good idea to keep this service as secure as possible as most of your server services like Microsoft ISA, exchange 2000, and any other communication software have serious dependencies on the flawless execution of the DNS service. By making use of ISA Intrusion detection systems the organization will gain the comfort that a substantial DNS IDS has been setup to handle attempted intrusions.

ISA’s DNS filter works well and tends to do the job at an acceptable level. However it is recommend that a HIDS be used as a complimentary solution to ensure that a more comprehensive resolution is reached. It is recommended that a product like GFI’s LANguard be used in conjunction, as this product has been tried and tested and performs as an extra layer of protection.

I have written a white paper on DNS protection and have published it on www.windowsecurity.com the white paper encompasses a detailed level of DNS protection and it is advisable that the recommendations within the whitepaper be considered in a comprehensive security strategy.

Operating system considerations

Irrelevant of witch operating system chosen it is imperative that the operating system be toughened. When a windows system is installed you will find that administrative shares and printers are covertly available to anyone that understands how to manipulate the system. It is imperative that all unused accounts be removed from the machine installed and that the administrative account be renamed on the machine and a dummy account created called administrator with the lowest privileges available. All default shares should be unshared and unused services stopped. A DNS server should be dedicated only to DNS. This will insure that no other software is installed on the machine that may have certain vulnerabilities latent within the software. Ensure that the multitude of hot fixes and security patches have been applied to the DNS server. Below is a list of considerations that should be implemented when dealing with operating systems.

  1. Ensure that the operating system has all the latest service packs applied to it.
  2. Ensure that administrator account is well protected.
  3. Ensure that the DNS machine has been configured so that no other service other that DNS is running.
  4. Ensure that all default shares have been unshared on that machine and that no anonymous access to the services is allowed.
  5. Ensure that all unused ports are closed. 

ISA Configuration

Transacting DNS traffic is typically TCP for zone transfers and UDP port 53 for DNS queries. Other traffic should not be allowed to be transacted to the DNS server and should be looked upon as unauthorized DNS traffic. Investigation into unauthorized traffic should be done as soon as specified alerts have been sent. ISA deals with traffic that is sent to DNS zone transfer from privileged ports (1-1024) and to DNS zone transfer from high ports (above 1024). It is recommended that these settings are left enabled as the benefits are great.

Zone transfer considerations

Knowing how to control zone transfers is tremendously significant while securing DNS servers in a Windows environment. Windows 2000 allows for the alteration of the access lists available for each individual zone controls and zone transfer. Zone transfers are responsible for the movement of all the records for a particular zone from a respective server to the other and it is particularly important to note that the forward lookup zone should not be transferred to a DNS server that contains Windows 2000 domain information to any server outside the Windows 2000 domain. This can be done in the Zone transfer tab of the properties of the specific domain name in the DNS MMC.

If you like you can specify a list of IP address to witch you can allow zone transfers to. This option allows for granular control of zone transfers through a list of IP addresses and only IP addresses that are reflected on the list will be authorized candidates for possible zone transfers. This option increases DNS zone transfer security significantly and it is recommended practice that this option is used where possible as it reduces the chance of an unauthorized zone transfer. This option is activate in the Zone Transfer tab of the properties of the domain name in the DNS MMC. If you would like to enable the no zone transfer mode it is advisable if you are sure that your zones will not be transferred. This setting is extremely secure and does not pose a treat as there is no opportunity for the possibility of an impersonation or spoof of a clone zone transfer sever. This strategy is recommended for organizations like banks and military operations where a zone transfer can have catastrophic consequences.

When setting up your Router and Firewall Settings you can ensure that only specific IP addresses can query your DNS servers like your ISP DNS servers or a branch office that is connected via the internet. DNS traffic is transmitted on UDP and TCP port 53. This requires the firewall and router to have these ports open allowing clients and other servers to make use of DNS.

All client queries are transmitted on UDP port 53 and TCP port 53 is used for zone transfers. Traditionally zone transfers outside of the protected Network so TCP port 53 should be avoided. Zone transfer port namely TCP port 53 should be blocked at the Internal, External, Firewall, and DMZ routers. If the DNS is configured to allow reverse lookup zone transfers between the Internal and External DNS servers the Internal Router, Firewall, and DMZ router should allow connections on TCP port 53 between the Internal and External DNS only.

Securing the location of zone information that a DNS server uses is vital when ensuring organizations wellbeing on the internet it is recommended that the DNS server be converted to active directory integrated zone the advantages of this zone type offers are great and include the zone information being stored, replicated, and secured in the Active Directory.

If this feature is used an “Only secure updates” option is enabled for Dynamic Updates.

This option is recommended when allowing dynamic updates, which is a necessary feature for a Windows 2000 domain.  Ensure that only the system and administrators have full control of the %SystemDirectory%\DNS directory and subfolders and that the all DNS servers have the registry secured. Secure the DNS servers registry by ensuring that HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services\DNS is assigned to administrators and system to have full control.

1.      In the ISA MMC find extensions expand that component and then click on Application filters.

2.       The window on your right will be populated with all the filters locate DNS intrusion detection filter and then right click it and then click properties.

3.       You will be presented with the general TAB click on the attacks tab and ensure that DNS hostname overflow, DNS length overflow, DNS zone transfer from privileged ports (1-1024) and DNS zone transfer from high ports (above 1024)  are selected for maximum protection.

DNS hostname overflows

DNS hostname overflows occur when a DNS response intended for a host name exceeds a fixed length. Some applications do not check the length of the host names and may return overflow internal buffers when copying this host name. This process may allow an intruder to execute unpredictable commands on pre-selected machine.

DNS length overflows

DNS responses for IP addresses include a length field, which typically comprise of four bytes. A DNS response can be formatted to reflect a larger value, various applications executing DNS lookups will reflect an overflow of internal buffers, allowing a remote attacker to execute unpredictable commands on any machine with this vulnerability exposed.

You have now configured your ISA DNS Intrusion detection filter. Bear in mind that ISA intrusion detection is not as comprehensive as dedicated HIDS (host intrusion detection systems) and that it is recommended to have an industry leader HIDS installed on your ISA server as a complimentary package. Be sure to test your intrusion detection system thoroughly in a Lab environment before implementing it in a live system.

Summary

This article has focused on ISA being able to block certain intrusion attempts on a DNS server within the network. The fact that ISA is much complimented with the use of GFI’s LANGuard depicts that it should be a strong consideration when implementing your security strategy. HIDS has become an essential part of any networks security plan. For more information on Intrusion detection and the functions thereof more documentation is available at www.windowsecurity.com. As well quoted before prepare yourself for intruder for if you don’t they are always prepared to exploit your vulnerabilities.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top