securing windows 2000 dns by design

8/14/2019 Securing Windows 2000 DNS by Design

http://slidepdf.com/reader/full/securing-windows-2000-dns-by-design 1/7

Securing Windows 2000 DNS by design (Part 1)

This white paper will focus on the importance of securing your Windows network’s DNS service and the features, functionality and

security of the DNS server by using design. Several deployment

methods for DNS in a Windows 2000 environment will be coveredand defined. This document is intended to provide clarification when

enabling the operational requirements of the organizations designing

secure DNS.

This white paper will focus on the importance of securing your Windows network’s DNS serviceand the features, functionality and security of the DNS server by using design. Several

deployment methods for DNS in a Windows 2000 environment will be covered and defined.

This document is intended to provide clarification when enabling the operational requirements of the organizations designing secure DNS. Knowing that windows 2000 and above relies heavily

on the functioning of DNS, your focus should be on securing your valuable DNS server.Windows DNS is one of the fundamental services that are used by all windows 2000 networksthat conform to the domain or forest tree model. It is a good idea to keep this service as secure

as possible as most of your server service like Microsoft ISA, exchange 2000, and any other

communication software has serious dependencies on the flawless execution of the DNS service.

Huge issues known in the past attributed to DNS have resulted in the fortune 500 companiestightening the DNS BIND (Berkeley Internet Name Domain) holes being successfully blocked

from being exploited. All though BIND refers to UNIX it could of just as easily been windows

or the flavor of the day DNS system. In early 2001 over 40% of the top companies had the DNS

vulnerability. This information was published on hack sites as soon as it was release and egg

throwers were quick to leverage the opportunity and hackers scrambled to exploit a fortune 500DNS vulnerability. Recommendation: do not become a statistic, take action. Keep abreast with

the latest patches and test the patches on a test lab before going live.

DNS fail over strategy.

Redundancy is paramount for any DNS implementation. A multitude of applications rely on DNS

for name resolution in multiplatform environments. HTTP, SMTP and many other windows

applications require DNS as a vital “life source” and this is why organizations should look at afail over strategy when implementing DNS.

A robust design should include at least two internal DNS servers for every set of 500 users the

DNS servers should be distributed throughout the company as a load balancing strategy and

using performance monitor you should identify the segments that need their own DNS servers.Furthermore if the segments are separated by WAN links it will be advisable to have a DNS

server at each side to prevent clients from traveling over slow WAN links to resolve domain

names. Secondary DNS servers should be setup on the local DHCP/WINS server at each site.



This simple strategy not only spread the risk of a central DNS server going down but also speeds

up resolution. As a further strategy it may be advisable to install a good HIDS on the DNS server

incase and intruder is lurking excellent tried and tested software would be LAN guard by GFI. Itis a good idea to spread your DNS servers over different subnets as an interesting lesson can be

learnt from a historical attack on Microsoft’s DNS servers in the last 5 years.

Incorporate security into the DNS design

When designing the DNS system it becomes important that security is hard coded into thedesign. This method of configuration ensures that if policies are not followed failsafe strategies

are in place to protect the organizations best interest.

• Ensure that the DNS server is placed behind a firewall and that a DNS server is not run

with Active Directory services on the Internet.

• Use DNS forwards and ISP DNS servers as a means of getting DNS resolution this

greatly reduces organizational DNS risk.

• When using Active Directory-integrated domains always make use of private domainnames by doing this the DNS request will not be forwarded to DNS servers on the

Internet.

• Use proxy servers for clients DNS requests on the Internet.

• Ensure that private IP addresses are used instead of public IP addresses. This strategy

minimizes risk.

Secure the DNS Design

Typically DNS designs comprise of a primary DNS server and multiple client DNS servers

known as mater slave. Primary DNS servers should be hosted by the organization and further client DNS servers reference off the primary master DNS server. Your primary DNS server

should have router and firewall protection as would be founding a DMZ environment.

Split DNS Design

Split DNS design employs the separation of the internal DNS servers from the external DNSservers. Internal servers only contain internal DNS entries and the external server only contains

external entries respectively. Intruders look for DNS servers that are not split and expose internal

hosts to the Internet by reflecting internal IP addresses that the intruder can directly address. Thisinformation is then used to plot the networks coordinative points and is used like a tool to find

the weak spot where the intruder can gain entry.

DNS policies and procedures that facilitate and enforce

strong security governance.

Prior to implementing any new network service such as DNS a structured security policy must be

implemented. Policies and procedures are written to ensure a high level of security and



compliance and this system quality assures that the level of security does not decrease on any

occasion. Your DNS policy should include a few facts that I have stated below.

• Define the backup strategy for the DNS server

• State the appropriate authorized person permissible for DNS administration.

•

Define how new DNS records should be added.• Define security settings and update procedures and how they should be applied.

• Predetermine the fail/over strategy and how and when it should be implemented.

• Formulate zone transfers and the appropriate authority’s controls necessary, as this is a

very weak security area if badly managed within the DNS windows framework.

• Ensure that the latest service packs are installed.

• Include the log maintenance and monitoring in the procedure.

• Include DNS server performance monitoring in the procedure.

• Ensure that all changes are well documented and that any updates are labed before being

applied to a live environment.

• The original configuration should be documented and kept without amendments this will

help in the rebuild stage if necessary.

After writing the policy it is up to your IT department to enforce it. A comprehensive policy and

procedure is all very well. To ensure that it is applied to the DNS server as part of the security

strategy is another matter. Organizations occasionally fail to see the value in following a

comprehensive policy with points such as log monitoring and performance checks. This is themain reason that those same organizations are down for several days due to “technical faults”.

To ensure that your organization does not fall into the same painful trap ensure that your DNS

documentation is holistic and always updated.

DNS and its functions.

DNS is used by active directory to locate domain controllers and to resolve IP addresses into

FQDN’s (fully qualified domain names). It is not stressed enough that without a fully functional

DNS structure active directory will not function as intended. There is various available securitysettings for that can be manipulated when using Windows 2000 Domain Name System (DNS)

Server Service. In many cases the leverage is in the how the DNS has been designed a secured.

Note recommendations are made through out this white paper and in order to follow them

through, part of the process undertakes the task of running with the recommendation in a test labenvironment. This quality assurance process should shadow your production system closely.

After you are happy with the process of the recommendation then it is up to you to transfer the

application of the theory onto your production environment.

Windows 2000 security features.

Scenario 1

DNS in an Enclosed Environment



• When running DNS in an enclosed environment it is only required that the DNS servers

and operating systems be secured.

• The external Router interface and Firewall external firewall interface should block any

DNS traffic that is inbound on UDP and TCP port 53.

• DNS zones should be Integrated and only allow zone transfers to servers listed in the

Name Servers tab.

Scenario 2

DNS on the Internet

• Separate external DNS server from the internal DNS servers that are used for the

Windows 2000 domain.

• Active Directory Integrated DNS servers should be used on the internal network.

• Zone transfers should be performed on Internal DNS servers

• Secure zone transfers on the external servers to a specific list of servers.

•

Secure the file system• Secure the registry

• Disable all unused services on External DNS servers

• Disable dynamic updates on External DNS servers.

Resolving Internet names can be accomplished by the Internal DNS server without

compromising security. You can do this by forwarding DNS queries to the External DNS server.

If you would like to know where the user is coming from when making a request on your DNS

server it is necessary that your external DNS server has reverse DNS lookup Zones enabled.This system is used to verify where the intruder or vaster is coming from. This aspect of security

is very necessary if you wish to cut down the time it takes to resolve the name of the intruder inorder to take action.

Enabling a reverse lookup in order to secure the internal

network.

Strategy 1. To limit the intruder from correctly plotting the route to the sheltered Network it is

recommended that a reverse lookup zone to the external DNS server be enabled. This will be theserver that contains a catalog of all the internal network IP addresses. You should then match the

IP address with a Honey-net or honey-pot machine. This typically is a virtual system that exists

solely for the purpose of capturing intruder’s trends and to associate the possible tools that eachintruder may be using.



Figure A: the picture above depicts strategy 1

Strategy 2. To show the SOA (start of authority) record within the reverse lookup zone it isrecommended that a reverse lookup zone be added to the external DNS server as a secondary

zone belonging to the internal network.

1. The external server needs to be added to the list of valid DNS servers to allow for zone

transfers to on one internal DNS servers.2. The router and firewall need to be configured to allow communication between the DNS

servers.

3. No other services other than DNS should be running on the Internal DNS server.

Figure B: the diagram above depicts strategy 2

Warning: be aware that the scenario where a DNS server connected to the internet that has a

forward and Reverse Lookup Zone may pose a problem. The reason being that while twoWindows 2000 forest/trees may be linked via the Internet. In doing so the server records may be

exposed to the Internet. There is nothing stopping an intruder from sniffing this information and

plotting the organizations internal network by impersonation and sending valid queries to theDNS server.



Figure C: the diagram above depicts the two windows domains and how the DNS resolution

takes place over the internet posing the risk.

The counter approach to this scenario would be to use…

1. A secure tunneling protocol connecting the two sites over the internet. This will securezone transfers

2. Precise server records that is required for the network to function only.3. A configuration that supports one external DNS server forward and reverse lookup zone

configured as secondary zones of one internal DNS server’s zones.

These are counters and only secure your server, if done in conjunction and looked upon as aholistic DNS securing strategy. It is recommended that DNS transmission from tree or forest be

reserved for private networks like VPNs and WANs rather than having the information latently

being transmitted on the internet. Transmitting information over the internet has major

disadvantages as attackers with lots of time tend to lurk and wait for the opportune moment that

arrives when the organization is least expecting an attack. In order to prevent such an attack onyour network it is very important that all of you data be it DNS, Mail, HTTP or information that

may seem trivial be encrypted or sent within a private tunnel that intruder will find extremelychallenging to crack.

If the above basic steps are followed you will find that fewer attacks will be attempted on an

organization security. It is a strong belief in the security world that accidents or attacks happen

when the security professional is careless. Neglect is a strong source of vulnerability and is the



major reason that DNS is a soft spot. Once the Windows DNS system is working many

administrators tend not to touch it for fear of breaking it. They stick to the cliché if it ain’t broke

don’t fix it but I maintain that if it ain’t updated it is broke. Keep abreast with all vulnerabilitiesand patch the vulnerabilities that are exposed to the outside world like DNS with the highest

priority. This type of service is very well known in the intruder world and new ways of

exploiting bugs in software come out every day.

Conclusion

This white paper demonstrates the advantages of having a strong design that compliments your security strategy. Security professionals should uphold the integrity of their DNS machines so

that they are secured and stable. Many patches and hot fixes are released constantly and keeping

up-to-date with these will increase your level of protection by at least two fold. A great tool that

can be used on your machines that can look for vulnerabilities and keep you abreast of vulnerabilities is LANguard Network Security Scanner by GFI. This tool takes the pain out of

the task keeping a system manageable and cost effective. Looking for additional vulnerabilities

on security websites like WindowSecurity.com also helps you to keep up to date with the latestsecurity fads keep it up because if you are not prepared to rest assured there are an abundance of

intruders that are. Ensure that you don’t become a statistic do something about the way your

DNS environment is designed.

http://www.gfisoftware.com/stats/adentry.asp?adv=142&loc=25



securing windows 2000 dns by design

Documents