October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS...
-
Upload
tiffany-barrett -
Category
Documents
-
view
213 -
download
0
Transcript of October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS...
April 19, 2023 University of Tulsa - Center for Information Security
Microsoft Windows 2000 DNSMicrosoft Windows 2000 DNS
April 19, 2023
April 19, 2023 University of Tulsa - Center for Information Security
History of DNSHistory of DNS
• Before DNS: Hosts.txt file• For a good summary of the history of DNS:• http://www.whmag.com/content/0601/dns
/page3.asp
April 19, 2023 University of Tulsa - Center for Information Security
DNS Standard DNS Standard DocumentsDocuments
• This is listed out on the web. This site contains RFC numbers and RFC drafts.
• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dnsstartpage_2lgl.asp?frame=true
April 19, 2023 University of Tulsa - Center for Information Security
What is DNS?What is DNS?
• Stands for Domain Name System• Locator Service that translates user
friendly names (such as www.utulsa.edu) into addresses that the network can recognize (129.244.1.91)
• Primary locator service for Active Directory; therefore considered base service for both Windows 2000 and Active Directory
April 19, 2023 University of Tulsa - Center for Information Security
Example Using DNSExample Using DNS
• Alice would ask who was the authoritative for all of the host names at site B.
• Alice would receive an answer such as “nmServerB”
• Alice asks nmServerB “What is Bob’s IP address?”
• nmServerB replies to Alice with Bob’s IP address
• With Bob’s IP address, Alice can begin direct communication with Bob
April 19, 2023 University of Tulsa - Center for Information Security
The Domain NamespaceThe Domain Namespace
• Tree data structure that contains DNS’s distributed database indexed by domain names– Each node has a text label different than all other siblings
• Domain name : sequence of labels on the path from that node to the root– Data associated with a domain name is stored in a
resource record
• Domain : subtree of the domain namespace
April 19, 2023 University of Tulsa - Center for Information Security
The Internet Domain The Internet Domain NamespaceNamespace
• Top-Level domains : com, edu, gov, mil, net, org, int, arpa, and geographical designations (uk, us, bm, aq)
• Reading domain names:– lithium.cchem.berkeley.edu– www.utulsa.edu– www.cis.utulsa.edu
April 19, 2023 University of Tulsa - Center for Information Security
DelegationDelegation
• Goal: decentralize administration• Delegate administrative duties to
subdomains– Retain pointers to the sources of the subdomains data– Queries can then be referred to authority for subdomain
April 19, 2023 University of Tulsa - Center for Information Security
Name Servers and ZonesName Servers and Zones
• Programs that store information about the domain namespace are called name servers
• Name servers have complete information about some part of the domain namespace, called a zone– The name server is then said to have authority over that
zone
April 19, 2023 University of Tulsa - Center for Information Security
Types of Name ServersTypes of Name Servers
• Primary master name server reads data for the zone from a file on its host
• Secondary master gets zone data from the name server that is authoritative for the zone– Zone transfer : when the secondary master retrieves
zone data from the primary master
April 19, 2023 University of Tulsa - Center for Information Security
ResolversResolvers
• Clients that access name servers• Handles:
– Querying the name server– Interpreting responses– Returning the information to the programs that
requested it
• In Windows 2000, a resolver is a set of library routines
April 19, 2023 University of Tulsa - Center for Information Security
ResolutionResolution
• Resolution is the process of searching through the domain namespace to find data for which they’re not authoritative– Only requires domain names and addresses of root name
servers
• Root name servers refer requests to the top level domain server the domain name ends in
• In turn, each name server queried will provide either the answer or refers the request to a “closer” name server
April 19, 2023 University of Tulsa - Center for Information Security
Recursion / IterationRecursion / Iteration
• Recursive query– Places most of the burden of resolution on a single name
server– Queried name server is obliged to respond with the
requested data or with an error (can’t just refer query to a different name server)
– A name server that receives a recursive query that it can’t answer itself will query the “closest known” name servers
• Iteration– Name server gives best answer it already knows– If it can’t directly answer the query, the name server will
return a query to all name servers listed in its local data
April 19, 2023 University of Tulsa - Center for Information Security
Choosing Between Choosing Between Authoritative Name Authoritative Name
ServersServers• The Microsoft DNS Server uses roundtrip
time (RTT) to choose between name servers authoritative for the same zone– RTTs are averaged in after each query– Average initially set very low so that each server will get
queried before choosing favorites
April 19, 2023 University of Tulsa - Center for Information Security
Mapping Addresses to Mapping Addresses to NamesNames
• Forward (names to addresses)– Straightforward search through a host table on the name
server
• Reverse (addresses to names)– in-addr.arpa domain– Portion of the Internet domain namespace that uses
addresses as labels
April 19, 2023 University of Tulsa - Center for Information Security
CachingCaching
• Saves information about previous resolution processes
• The Microsoft DNS Server even implements negative caching : if an authoritative name server responds to a query saying the domain name doesn’t exist, this information is cached as well
• This cache data is given a time to live (TTL) for the data
April 19, 2023 University of Tulsa - Center for Information Security
Securing Microsoft Securing Microsoft Windows 2000 DNSWindows 2000 DNS
• From the NSA Security Recommendations for Windows 2000
• http://nsa1.www.conxion.com/win2k/download.htm
April 19, 2023 University of Tulsa - Center for Information Security
Zone Information Zone Information SecuritySecurity
• Converting to an Active Directory Integrated Server
• Zone File and Registry Security
April 19, 2023 University of Tulsa - Center for Information Security
Converting to an Active Converting to an Active Directory Integrated Directory Integrated
ServerServer• Requires DNS server to be on a Windows
2000 Domain Controller• Do a change zone type to Active Directory-
integrated– Zone information stored, replicated, and secured in the
Active Directory– Choose “only secure updates” option for Dynamic
Updates– Recommended
April 19, 2023 University of Tulsa - Center for Information Security
Zone File and Registry Zone File and Registry SecuritySecurity
• If zone information not stored in Active Directory, should secure the zone files– Folder: “%SystemDirectory%\DNS”– User Groups: System– Recommended Permissions: Full Control
• All DNS Servers should have the registry secured– Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\DNS”
– User Groups: Administrator, System– Recommended Permissions: Full Control for both groups
April 19, 2023 University of Tulsa - Center for Information Security
Controlling Zone Controlling Zone TransfersTransfers
• Four options for zone transfers– Do not allow zone transfers
• Can still receive zone transfers and can respond to DNS queries– Allow zone transfers to any server
• Not recommended– Allow zone transfers to all servers listed in the Name Servers
property tab• Recommended when zone transfers will only be done within one
domain– Allow zone transfers to a specific list of IP addresses
• Recommended when communicating between protected DNS servers and a DNS server that can be accessed from the internet
• Never transfer the forward lookup zone containing active directory records to any server that can be accessed via the internet
April 19, 2023 University of Tulsa - Center for Information Security
DNS Server DNS Server ConfigurationsConfigurations
• Several deployment methods for DNS in a Win2K environment
• DNS in an Enclosed Environment• DNS with an Internet Presence• DNS with an Internet Presence with
Reverse Lookup Requirements• DNS with Internet Presence with Forward
and Reverse Lookup Zone Requirements
April 19, 2023 University of Tulsa - Center for Information Security
DNS in an Enclosed DNS in an Enclosed EnvironmentEnvironment
• External router and firewall should block all DNS traffic (UDP and TCP port 53)
• DNS zones should be made Active Directory Integrated and only allow zone transfers to servers listed in the Name Servers tab
April 19, 2023 University of Tulsa - Center for Information Security
DNS with an Internet DNS with an Internet PresencePresence
• Separate the External DNS server from the DNS servers that are being utilized for the Windows 2000 domain
• Secure zone transfers to a specific list of servers, or no servers. If several servers are used within one DNS domain then control transfers using Name Servers Tab
• Secure file system and registry• Disable all unnecessary services• Disable dynamic updates• Internet name resolution from internal network can be
provided by forwarding requests to external DNS server
April 19, 2023 University of Tulsa - Center for Information Security
DNS with an Internet DNS with an Internet Presence with Reverse Presence with Reverse Lookup RequirementsLookup Requirements
• Disconnected Reverse Lookup Zone– Add a reverse lookup zone to the external DNS server that
contains a list of all the internal network IP addresses– Match each IP with a fictitious client name with the appropriate
extension. This allows the IPs to be verified.– Recommended
• Secondary Reverse Lookup Zone– Add a reverse lookup zone to the external DNS server as a
secondary zone to the internal network.– Add the external server to the list of valid DNS servers to allow
zone transfers to on one internal DNS server.– Configure router & firewall to allow communication between
the external and internal DNS servers.– Will show the internal server’s Start of Authority record in
reverse lookup zone
April 19, 2023 University of Tulsa - Center for Information Security
DNS with Internet DNS with Internet Presence with Forward Presence with Forward & Reverse Lookup Zone & Reverse Lookup Zone
RequirementsRequirements• This configuration is not recommended, but may be
necessary.– Exposes server records to internet– Allows attackers to completely map internal network
• Use a secure tunneling protocol between sites to secure zone transfers and protect the internal DNS server records. (Good)
• Add only the specific server records that are required for the network to function in the external DNS servers (Worse)
• Configure one external DNS server’s forward and reverse lookup zones to be secondary zones of one internal DNS server’s zones (Worst)
April 19, 2023 University of Tulsa - Center for Information Security
Router and Firewall Router and Firewall SettingsSettings
• DNS traffic: port 53 (UDP and TCP)– UDP 53: client queries– TCP 53: zone transfers
• Zone transfers not necessary outside protected network– TCP 53 should be disabled at internal, external, firewall,
and DMZ routers
• If DNS configured to allow zone transfers between internal and external servers, then the internal router, firewall, and DMZ routers should allow connections on TCP 53 between those two servers only