Securing DNS for Windows (Part 1)


If you would like to read the other parts in this article series please go to Securing DNS for Windows (Part 2)

DNS is a rather simple service, but protecting it can make or break your entire network infrastructure. Even though DNS is a simple database of names and numbers, an attacker can take full advantage of the information that they can glean from compromising the database. Some attacks can be to gather information from your database, only to use that information against you as they build a structure of what your network looks like. Other attacks will put information into your database, in an attempt to have your DNS servers perform name resolutions that they would normally not perform. Regardless of the attack on your DNS infrastructure, you need to take precautions to thwart off these attacks before it is too late.

DNS Basics

DNS, Domain Naming Service, is a service that resolves IP addresses to names. The key here is to understand which names we are talking about. As the name indicates, DNS stores domain related information. For example, Active Directory uses DNS to store domain names and all of the computer names for the computers on the network. If your domain is named policy.org and the first domain controller in your domain is PDC1, you will have entries in DNS similar to that in Figure 1.


Figure 1: DNS entries for the first computers in your Active Directory domain

Notice in Figure 1 that not only is there an entry for PDC1, there is an associated IP address for PDC1 of X.X.X.X. The reason there is an IP address associated with the name is that your computer and other services on the network don’t use names, rather they use IP addresses. However, as humans, we prefer names over IP addresses. DNS comes to the rescue by allowing resolution of names to IP addresses. DNS can also be configured with a reverse lookup zone, which will return names when given an IP address.

Securing DNS with Active Directory

One of the first decisions you need to make is the type of DNS database you will configure to support your Active Directory domain. You can either store the information in a standard DNS database, which will have a primary DNS server with secondary DNS servers, or you can configure the DNS database to be Active Directory integrated, as shown in Figure 2.


Figure 2: DNS database can be Active Directory integrated

It is highly recommended that you configure your DNS servers to be Active Directory integrated when they are supporting Windows Active Directory, due to the security benefits that you get. You also get some redundancy and stability benefits from this type of DNS database, but here, we want to focus on the security aspects.

The main security benefit that you get from an Active Directory integrated DNS database is secure dynamic updates, as the configuration can be seen in Figure 3. Dynamic updates are a key feature of DNS, which allow domain computers to automatically register their name and IP address with the DNS server when they come on the network or change IP addresses through the DHCP server. This form of update eliminates the need for manual entries of names and IP addresses into the DNS database, which was the old method. The security aspect comes into play when you consider that an automatic update from a client into the DNS database could open up a door for a malicious entry. Therefore, secure dynamic updates will verify that the computer that is requesting the update to the DNS server also has an entry in the Active Directory database. This means that only computers that have joined the Active Directory domain can dynamically update the DNS database.


Figure 3: Active Directory integrated DNS databases can be configured for security dynamic updates

Having DHCP do the Dynamic Update

One option that you have in a Windows environment is to have DHCP perform the dynamic update for the client. This is not required for Windows 2000/XP/Server 2003/Vista computers, but it is required for Windows NT/9x computers. In some cases, it is not a question as to the need, rather than the desire to have the DHCP server perform the update, rather than impose that on the client computers.

The caveat to this configuration is that now the DHCP servers are the owners of the entries, prohibiting other DHCP servers or the client to update the record in the future. To solve this, there is a DNSUpdateProxy group. To solve the issue, add the DHCP server accounts into this group, which will result in the entries into DNS for the clients to have relaxed Access Control Lists (ACLs). The new ACL will include Authenticated Users to have the ability to update the DNS entry for the client. This is designed so that other DHCP servers or even the client can update future entries into DNS for this client.

The security of letting Authenticated Users have the ability to update the client is not bad enough, but there is another issue that can arise. If you install DHCP on a domain controller and then add this computer to the group, the result is that all entries that are made by the domain controller have these same relaxed ACLs. With the entries for domain controllers being so sensitive to the security and stability of Active Directory, having such relaxed entries for these entries is not in the best security interest of your organization. The entries that would be exposed include all of the SRV (Service Resource Records) that control how clients and servers find Active Directory related services within the network. This includes Kerberos, site, TCP, IP, and more SRV records.

Therefore, the solution to this is to NOT have DHCP installed on your domain controllers. If you do have DHCP installed on your domain controllers, it is a best practice to not have these DHCP servers perform the dynamic updates for the clients. Otherwise, you will be injecting insecure settings into each and every intro that is made for the domain controller in DNS.

Summary

As you can see, DNS is a simple, yet potentially complex service. With only the task of resolving names to IP addresses, or vice versa, one would think that it would be easy to configure and secure. However, there are settings that will allow a more secure and stable DNS environment. First, the ability to make the DNS database Active Directory integrated provides seamless compatibility with Active Directory, as well as the ability to have secure dynamic updates. These secure dynamic updates help protect against malicious entries into the DNS database by computers that are not part of the domain. With these dynamic updates, you can have the client perform them on their own behalf, or have DHCP do it. If you choose to use DHCP and the DNSUpdateProxy group, you will need to ensure that this configuration is not exposing your domain controller entries into DNS. The simple solution to this is to not have your domain controllers perform DHCP duties. 

In the next article, I will go over some of the detailed settings that you can make in DNS to help protect and secure the DNS database and service for your network.

If you would like to read the other parts in this article series please go to Securing DNS for Windows (Part 2)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top