• subscribe
Search
Browse By: Author | Issue
April 14, 2003 12:00 AM

DNS Lockdown

Don't overlook DNS when you're securing your network
Joe Rudich
Windows IT Pro
InstantDoc ID #38432

Step 5: Secure DNS Zone Transfers
DNS servers distribute information—specifically, computer names and their IP addresses—one record at a time to a client upon request. Because a client needs to ask for the IP address by host name, that data is at little risk of interception. But attackers would love to get their hands on the complete contents of your DNS zones, and that information frequently travels between DNS servers, making it vulnerable to interception.

During DNS server synchronization, NT DNS servers send the complete zone file (in plaintext, as I mentioned earlier) even if just one record has changed. The only way to protect zone transfers between NT DNS servers is through a VPN tunnel or third-party encryption software. Upgrading your DNS servers to Win2K is usually simpler.

Because Win2K DNS supports incremental zone transfer (IXFR) for standard zones, Win2K DNS servers transfer only the records that have changed. This approach greatly reduces the opportunities to intercept an entire zone: Win2K DNS servers send the entire zone only when you add a new secondary DNS server. Zone transfer security is a key reason for implementing AD-integrated zones. These zones transfer DNS information as part of the AD replication process between DCs, so transfers are encrypted as well as incremental.

Another advantage of the AD-integrated zone transfer process is that DCs in only one domain can receive zone information. If you use standard zones and don't configure them properly, an attacker can prompt the zones to transfer complete zone information to any DNS server. Because anyone who has access to a client system can easily determine a DNS server's address, capturing zone information is even simpler than running a packet sniffer: Attackers can simply set up their own rogue DNS server, create a secondary zone, and in the process, request zone transfer from your DNS server.

You can protect standard zones from interception, but only by changing Microsoft's default configuration, which allows zone transfers to any server. On Win2K or NT, you should limit transfers to specific servers that are authorized DNS partners. To configure standard zones for limited zone transfer, complete the following steps:

  1. Launch the DNS plugin at the zone's primary server.
  2. Double-click the DNS server's name.
  3. Double-click Forward Lookup Zones.
  4. Right-click the zone name and select Properties.
  5. On the Zone Transfers tab, select Only to the following servers under Allow zone transfers, as Figure 3 shows.
  6. Type the IP address of a secondary DNS server for the zone, and click Add.
  7. Repeat Step 6 for all other secondary DNS servers. (You must configure zone transfer for each zone individually.)
  8. Click OK.

Step 6: Secure DNS Updates
Although I strongly recommend Win2K DNS over NT DNS, Win2K DNS introduces some security concerns of its own. One concern is that a client computer can make changes to the DNS database. Win2K's dynamic DNS (DDNS) updates let clients and DHCP servers automatically—and remotely—perform the tedious task of maintaining a DNS database. (Under NT, changing the DNS database is a manual process that must be performed by administrators who are connected to the DNS server, making NT DNS more secure than Win2K DNS in this regard.) However, changing DNS records for even one system at a time offers an opportunity for an attacker to capture data, then use it to impersonate a crucial system.

For example, attackers have used spoofing on the public Internet to alter DNS servers and redirect users to false retail sites or pornographic sites. The far-reaching AlterNIC spoof of 1997 is one example of such an exploit. DNS, after all, controls the ultimate addressing of all traffic on a TCP/IP network. Malicious users can take advantage of the dynamic update feature to switch users from a legitimate system to an impersonator.

Security was clearly on the minds of Microsoft's Win2K DNS developers, and they addressed the possibility of attackers misusing dynamic updates. After a client registers with an AD-integrated zone that's configured to accept only secure updates, the client can change that DNS host record only if the client is authenticated by AD. Although Win2K DNS supports dynamic updates for standard zones, you can't secure those updates.

To configure an AD-integrated zone to require secure dynamic updates, follow these steps:

  1. Launch the DNS plugin.
  2. Double-click the DNS server's name.
  3. Double-click Forward Lookup Zones.
  4. Right-click the zone name and select Properties.
  5. On the General tab, choose Only secure updates from the Allow dynamic updates? drop-down list, as Figure 4 shows. (If Allow dynamic updates? doesn't appear, the zone isn't AD-integrated.)
  6. Click OK.

Worry-Free DNS
Because many administrators consider DNS a simple, low-risk or no-risk network function, they often overlook it when implementing security. Take these six steps to ensure that DNS doesn't become a security liability on your network.



ARTICLE TOOLS

Comments
Add A Comment
    There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

© 2012 Penton Media, Inc.

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.