Because
DNS is a critical network service, you must protect it as much as possible. A
number of options are available for protecting the DNS server, including:
• DNS cache locking
• DNS socket pool
•
DNSSEC
DNS
Cache Locking
Cache
locking is a Windows Server 2012 security feature that allows you to control
when information in the DNS cache can be overwritten. When a recursive DNS
server responds to a query, it caches the results so that it can respond
quickly if it receives another query requesting the same information. The
period of time the DNS server keeps information in its cache is determined by
the Time to Live (TTL) value for a resource record.
Information
in the cache can be overwritten before the TTL expires if updated information
about that resource record is received. If a malicious user successfully
overwrites information in the cache, then the malicious user might be able to
redirect your network traffic to a malicious site. When you enable cache
locking, the DNS server prohibits cached records from being overwritten for the
duration of the TTL value.
You
configure cache locking as a percentage value. For example, if the cache
locking value is set to 50, then the DNS server will not overwrite a cached
entry for half of the duration of the TTL. By default, the cache locking
percentage value is 100. This means that cached entries will not be overwritten
for the entire duration of the TTL.
You
can configure cache locking with the dnscmd tool as follows:
1. Launch an elevated command prompt.
2.
Run the following command:
dnscmd /Config /CacheLockingPercent <percent>
3.
Restart the DNS service to apply the changes.
Alternatively,
you can use the Windows PowerShell Set-DnsServerCache –LockingPercent cmdlet
to set this value. For example:
Set-DnsServerCache –LockingPercent <value>
DNS
Socket Pool
The
DNS socket pool enables a DNS server to use source port randomization when
issuing DNS queries. When the DNS service starts, the server chooses a source
port from a pool of sockets that are available for issuing queries. Instead of
using a predicable source port, the DNS server uses a random port number that
it selects from the DNS socket pool. The DNS socket pool makes cache-tampering
attacks more difficult because a malicious user must correctly guess both the
source port of a DNS query and a random transaction ID to successfully run the
attack. The DNS socket pool is enabled by default in Windows Server 2012.
The default size of
the DNS socket pool is 2,500. When you configure the DNS socket pool, you can
choose a size value from 0 to 10,000. The larger the value, the greater the
protection you will have
DNS spoofing attacks. If the DNS
server is running Windows Server 2012, you can also configure a DNS socket pool
exclusion list.
You can configure the DNS socket
pool size by using the dnscmd tool as follows:
1.
Launch an elevated command prompt.
2. Run the following command:
dnscmd /Config /SocketPoolSize
<value>
3. Restart the DNS service to
apply the changes.
DNSSEC
DNSSEC enables a DNS zone and
all records in the zone to be signed cryptographically so that client computers
can validate the DNS response. DNS is often subject to various attacks, such as
spoofing and cache-tampering. DNSSEC helps protect against these threats and
provides a more secure DNS infrastructure.
How DNSSEC Works
Intercepting and tampering with
an organization’s DNS query response is a common attack method. If malicious
users can alter responses from DNS servers, or send spoofed responses to point
client computers to their own servers, they can gain access to sensitive
information. Any service that relies on DNS for the initial connection—such as
e-commerce web servers and email servers—are vulnerable. DNSSEC protects
clients that are making DNS queries from accepting false DNS responses.
When a DNS server that is
hosting a digitally signed zone receives a query, it returns the digital signatures
along with the requested records. A resolver or another server can obtain the
public key of the public/private key pair from a trust anchor, and then
validate that the responses are authentic and have not been tampered with. To
do this, the resolver or server must be configured with a trust anchor for the
signed zone or for a parent of the signed zone.
Trust Anchors
A trust anchor is an
authoritative entity that is represented by a public key. The TrustAnchors zone
stores preconfigured public keys that are associated with a specific zone. In
DNS, the trust anchor is the DNSKEY or DS resource record. Client computers use
these records to build trust chains. You must configure a trust anchor from the
zone on every domain DNS server to validate responses from that signed zone. If
the DNS server is a domain controller, then Active Directory-integrated zones
can distribute the trust anchors.
Name Resolution Policy Table
The Name
Resolution Policy Table (NRPT) contains rules that control the DNS client
behavior for sending DNS queries and processing the responses from those
queries. For example, a DNSSEC rule prompts the client computer to check for
validation of the response for a particular DNS domain suffix. As a best
practice, you should use Group Policy as the preferred method for configuring
the NRPT. If there is no NRPT present, the client computer accepts responses
without validating them.
0 التعليقات:
إرسال تعليق