windows server 2016 webinar
TRANSCRIPT
Windows Server 2016what is new in DNS (and IPv6 and DHCP)
1
© Men & Mice http://menandmice.com
Windows Server 2016
DNS Policies
Application Load-Distribution with DNS
IPv6 Root-Hints
DANE-Records Support
Support for Unknown DNS Records
Response-Rate-Limiting
Other new Features in Windows Server 2016
2
the features discussed here are based on the Technical Preview 5 (April 2016)
© Men & Mice http://menandmice.com
DNS PoliciesDNS policies give fine control about how DNS queries should be answered by a DNS server
• similar, but more powerful, than BIND 9 views
• Use-cases • access control for DNS resolvers (prevent open resolver)
• DNS based load-distribution
• blackholing malicious clients
• Filter based on DNS domains or Query-Type
• Geo-Location-Aware DNS answers
• Traffic-Engineering based on time-of-day
• "Split-Brain" DNS configurations (CAUTION!)
3
© Men & Mice http://menandmice.com
DNS Policies
Every DNS zone can have one or more "ZoneScopes"
• each ZoneScope can contain different DNS data (e.g. different IP-Addresses for the same name)
• the DNS Policy defines, which ZoneScope is used when a DNS query reaches the DNS server
4
© Men & Mice http://menandmice.com
DNS Policy criteria
5
Client Subnet Source address of the query
Transport Protocol either UDP or TCP
Internet Protocol either IPv4 or IPv6
Server Interface IP addresson which interface the query
comes in
domain name an FQDN (wildcards possible)
Query Typethe requested DNS record type
(A/AAAA/MX/SRV etc)
Time of Day Time when the query is received
© Men & Mice http://menandmice.com
DNS Policies
DNS Policy criteria can be combined with boolean expressions ("AND", "OR", "NOT")
Powerful DNS policies are possible …
… that should be used carefully
6
© Men & Mice http://menandmice.com
DNS Policies Demo 1
7
restricting DNS recursion to subnets
© Men & Mice http://menandmice.com
DNS Policies Demo 1Get-DnsServerRecursionScope -Name .Set-DnsServerRecursionScope -Name . -EnableRecursion $FalseAdd-DnsServerRecursionScope -Name "Clients" -EnableRecursion $True
Add-DnsServerClientSubnet -Name "MyNetwork" `
-IPv4Subnet "172.22.1.0/24"
!
Add-DnsServerQueryResolutionPolicy -Name "ResolverPolicy" ̀ -Action ALLOW -ApplyOnRecursion -RecursionScope "Clients" ̀ -ClientSubnet "EQ,MyNetwork"
8
© Men & Mice http://menandmice.com
DNS Policies Demo 2
9
Application load distribution using DNS
© Men & Mice http://menandmice.com
DNS Policies Demo 2Add-DnsServerZoneScope -ZoneName example.com -Name "scope1"Add-DnsServerZoneScope -ZoneName example.com -Name "scope2"Get-DnsServerZoneScope -ZoneName example.com
!Add-DnsServerResourceRecord -A -Name www -ZoneName example.com -IPv4Address 192.0.2.10 ̀ -ZoneScope "scope1"Add-DnsServerResourceRecord -A -Name www -ZoneName example.com -IPv4Address 192.0.2.20 ̀ -ZoneScope "scope2"
Add-DnsServerQueryResolutionPolicy -Name "Scope1LDPolicy" -ZoneName example.com ̀ -ZoneScope "scope1,4;scope,2" -Action ALLOW -ServerInterfaceIP "EQ,172.22.1.150"
!Get-DnsServerQueryResolutionPolicy -ZoneName example.com
10
© Men & Mice http://menandmice.com
IPv6 root hints
Windows Server 2016 now comes with IPv6 root-hints preconfigured
• root hints are required for every DNS server to find the start of all DNS resolution
• Windows Server up to Windows 2012R2 only contain the IPv4 root-hints for the Internet (however it was possible to add the IPv6 root-hints manually)
• This change makes it possible to run the Windows DNS server in an "IPv6-Only" network
11
© Men & Mice http://menandmice.com
DANE TLSA Record support
Windows Server 2016 adds support for the TLSA Resource Record type
• TLSA is required for DANE (DNS Authenticated Named Entities)
• "pinning" of TLS/SSL certificates via DNSSEC secured DNS
• see our previous webinar "DNSSEC & DANE – E-Mail security reloaded" https://www.menandmice.com/resources/educational-resources/webinars/dnssec-and-dane-e-mail-security-reloaded/
12
© Men & Mice http://menandmice.com
Demo: TLSA record
13
© Men & Mice http://menandmice.com
Demo: TLSA RecordAdd-DnsServerResourceRecord -Name _25._tcp `-ZoneName example.com -TLSA -CertificateUsage DomainIssuedCertificate `-Selector SubjectPublicKeyInfo -MatchingType Sha256Hash `-CertificateAssociationData 831B809F32A1A9E8C52A5167A35A979F0719B89D08E9A3302264F99D
14
© Men & Mice http://menandmice.com
Support for "Unknown Resource Records"
With new protocols, new DNS record types are added to DNS
•URI
• SMIMEA and OPENPGPKEY
• TA and TALINK
• …
RFC 3597 "Handling of Unknown DNS Resource Record (RR) Types" defines a way to provision a DNS server with resource records unknown to the server software
15
© Men & Mice http://menandmice.com
Support for "Unknown Resource Records"
the DNS server in Windows 2016 now supports these unknown resource records
• enables DNS admins to support new protocols which were not published at the release time of windows server
• the record data is given in hexadecimal notation
• the BIND 9 utility "named-rrchecker" can be used to convert the data part of an DNS RR into the hexadecimal format
Example: definition of an IPv4 Address "A"-Record: Add-DnsServerResourceRecord -Name www -ZoneName example.com -Type 1 -RecordData "0A000001"
16
© Men & Mice http://menandmice.com
Demo: Unknown RRs
17
© Men & Mice http://menandmice.com
Demo: Unknown RRs
The Uniform Resource Identifier (URI) DNS Resource Record:
https://tools.ietf.org/html/rfc7553
!
> echo 'IN URI 10 1 "http://www.example.com/path"' | named-rrchecker -u CLASS1 TYPE256 \# 31 000a0001687474703a2f2f7777772e6578616d706c652e636f6d2f70617468
!
PowerShell> Add-DnsServerResourceRecord -Name _http._tcp -ZoneName example.com ̀ -Type 256 -RecordData "000a0001687474703a2f2f7777772e6578616d706c652e636f6d2f70617468"
18
© Men & Mice http://menandmice.com
Response Rate Limiting
DNS responses from DNS servers in the Internet (Authoritative or DNS resolver) can be mis-used for denial of service attacks
• A problem for a long time, but has been especially popular with attackers in the last five years
• For additional coverage on this topic, watch our webinar "The dangers of DNS reflection attacks" https://www.menandmice.com/resources/educational-resources/webinars/the-dangers-of-dns-reflection-attacks/
19
© Men & Mice http://menandmice.com
What is the problem
20
DNS is UDP "stateless" communication
source IP addresses can be spoofed
some DNS Server in the Internet
Source IP Address
"spoofed"
Answer is delivered to the
owner of the "spoofed" IP
Address
© Men & Mice http://menandmice.com
What is the problem
21
There are many many DNS servers to be found in the Internet
© Men & Mice http://menandmice.com
One Solution: Response Rate Limiting (RRL)
• RRL was developed by Vernon Schryver and Paul Vixie and implemented in BIND 9, NSD, Knot and PowerDNS. It is now also available in Windows Server 2016.
• as all DNS queries should go through a caching server
• identical queries should not be seen from the same source inside the TTL (Time to Live)
• if the DNS server sees (many) recurring queries within the TTL, it is likely an attack
22
© Men & Mice http://menandmice.com
One Solution: Response Rate Limiting (RRL)
• response rate limiting counts the number of identical responses sent to a given network
• will throttle outgoing responses if too much identical responses are sent
• allows legit clients in the victims network to still resolve DNS data
23
© Men & Mice http://menandmice.com
One Solution: Response Rate Limiting (RRL)
• in case an attack is detected, (almost) empty answers are sent with "TC" flag set
• "TC" flag = answer truncated, retry over TCP
• real caching DNS server will repeat the query over TCP (slower, but harder to spoof)
24
© Men & Mice http://menandmice.com
One Solution: Response Rate Limiting (RRL)
•RRL enabled on an authoritative server
25
© Men & Mice http://menandmice.com
Demo: RRL
26
© Men & Mice http://menandmice.com
Miscellaneous newsDHCP: Network Access Protection (NAP) has been removed from DHCPv4 in Windows Server 2016
Containers with Docker: lightweight separation of Applications on a single Windows Server 2016 instance (can be used to separate a DNS or DHCP server)
Nano-Server: minimal Windows Server 2016 image without GUI. Can be used to create a lightweight DNS-Server deployment
Software Defined Networking (SDN) and Layer-4 Load-Balancer: load-balance DNS server (for example DNS resolver)
27
© Men & Mice http://menandmice.com
Release Dates
Windows Server 2016 will be released in Q3 2016
Men & Mice Suite 7.3 (September 2016) will support Windows Server 2016
Many of the new features will be supported in the Men & Mice GUI and Web-UI
28
© Men & Mice http://menandmice.com
Upcoming Webinar
June 9th, 2016 - Yeti-DNS
!
Yet-DNS - an international research project on the DNS root-server system
Interview with Shane Kerr of BII
How-To participate in Yeti-DNS with a DNS resolver
29
© Men & Mice http://menandmice.com
Thank you! !
Questions? Comments?
30