Additional Registry Entries. Updated: August 31, 2011. Applies To: Windows Server 2008. The Windows 8 TCP/IP implementation shares many traits with earlier Windows versions, however, there are some subtle differences, new syntax for applying tweaks, and. Having decided to start this blog to convey my experience with network analysis and troubleshooting, one subject instantly sprang to mind for my first post. The default is 1 for client operating systems. By default, Windows Scaling Diagnostics (WSD) automatically disables TCP receive window auto tuning when heuristics. Without DNS you would be forced to memorize the IP addresses of all the clients and servers on your network. That might have been something you could have done in 1. And DNS is going to be even more important as we slowly transition from IPv. IPv. 6. While some talented administrators could realistically remember the dotted quad addresses for dozens or maybe even hundreds of servers, that just isn’t going to happen with IPv. IP addresses are 1. IPv. 6 is going to bring DNS back to the forefront of your awareness. Because DNS is going to be ever more important, you’re going to need to be sure that your DNS server solution is secure. Historically, there was a large amount of implicit trust in DNS deployments. There was an implicit trust that the DNS client could trust the DNS server, and there was implicit trust that the records returned from the DNS server to the DNS client were valid. While this “gentleman’s agreement” has worked reasonably well for the last few decades, the time has come when we need to be able to guarantee that the information provided by the DNS server is valid and that client/server DNS communications are secure. This has me thinking about the Windows Server 2. R2 DNS server. There are several new features in the Windows Server 2. R2 DNS server that you can use to improve the overall security of your DNS infrastructure. These include: DNS Security Extensions (DNSSEC). Control over DNS devolution behavior. DNS cache locking. DNS Socket Pool. In this article, I’m going to provide you a brief overview of each of these features and how you can use them to create a more secure DNS for your network. DNS Security Extensions (DNSSEC)DNSSEC is a group of specifications from the Internet Engineering Task Force (IETF) that provide for origin authentication of DNS data, authenticated denial of existence and data integrity (not data confidentiality). The purpose of DNSSEC is to protect against forged DNS information (for example, DNS cache poisoning), by using digital signatures. DNSSEC is actually a collection of new features added to the DNS client/server interaction that help increase the security of the basic DNS protocols. The core DNSSEC features are specified in: RFC 4. RFC 4. 03. 5 DNSSEC introduces several new terms and technologies on both the client and server side. For example, DNSSEC adds four new DNS resource records: Windows Server 2. R2 Implementation. Windows Server 2. R2 and Windows 7 are the first Microsoft operating systems to support DNSSEC. You can now sign and host DNSSEC signed zones to increase the level of security for your DNS infrastructure. The following DNSSEC related features are introduced in Windows Server 2. R2: The ability to sign a zone (that is, to provide the zone a digital signature). Describes ARP caching behavior in Windows Vista TCP/IP implementations.The ability to host signed zones. New support for the DNSSEC protocol. New support for DNSKEY, RRSIG, NSEC, and DS resource records. Windows Server 2008 and Windows Vista TCP/IP was completely redesigned to support both Internet Protocol version 4 (IPv4) and Internet Protocol. DNSSEC can add origin authority (confirmation and validation of the original of the DNS information presented to the DNS client), data integrity (provide assurance that the data has not been changed), and authenticated denial of existence to DNS (a signed response confirming that the record does not exist). Windows 7/Server 2. R2 DNS Client Improvements. In addition to the DNS server updates in Windows Server 2. R2, there are some improvements in the Windows 7 DNS client (which also includes the DNS client service in Windows Server 2. R2): The ability to communicate awareness of DNSSEC in DNS queries (which is required if you decide to used signed zones). The ability to process the DNSKEY, RRSIG, NSEC, and DS resource records. The DNS client DNSSEC related behavior is set by the NRPT. The NRPT enables you to create a type of policy based routing for DNS queries. For example, you can configure the NRPT to send queries for contoso. DNS server 1, while queries for all other domains are sent to the DNS server address configured on the DNS client’s network interface card. You configure the NRPT in Group Policy. The NRPT is also used to enable DNSSEC for defined namespaces, as seen in Figure 1 below. Figure 1. Understanding how DNSSEC works. A key feature of DNSSEC is that it enables you to sign a DNS zone – which means that all the records for that zone are also signed. The DNS client can take advantage of the digital signature added to the resource records to confirm that they are valid. This is typical of what you see in other areas where you have deployed services that depend on PKI. The DNS client can validate that the response hasn’t been changed using the public/private key pair. In order to do this, the DNS client has to be configured to trust the signer of the signed zone. The new Windows Server 2. R2 DNSSEC support enables you to sign file- based and Active Directory integrated zones through an offline zone signing tool. I know it would have been easier to have a GUI interface for this, but I guess Microsoft ran out of time or figured that not enough people would actually use this feature to make it worthwhile to make the effort to create a convenient graphical interface for signing a zone. The signing process is also done off- line. After the zone is signed, it can be hosted by other DNS servers using typical zone transfer methodologies. When configured with a trust anchor, a DNS server is able to validate DNSSEC responses received on behalf of the client. However, in order to prove that a DNS answer is correct, you need to know at least one key or DS record that is correct from sources other than the DNS. These starting points are called trust anchors. Another change in the Windows 7 and Windows Server 2. R2 DNS client is that it acts as a security- aware stub resolver. This means that the DNS client will let the DNS server handle the security validation tasks, but it will consume the results of the security validation efforts performed by the DNS server. The DNS clients take advantage of the NRPT to determine when they should check for validation results. After the client confirms that the response is valid, it will return the results of the DNS query to the application that triggered the initial DNS query. Using IPsec with DNSSECIn general, it’s a good idea to use IPsec to secure communications between all machines that participate on your managed network. The reason for this is that it’s very easy for an intruder to put network analysis software on your network and intercept and read any non- encrypted content that moves over the wire. However, if you use DNSSEC, you’ll need to be aware of the following when crafting your IPsec policies: DNSSEC uses SSL to secure the connection between the DNS client and server. There are two advantages of using SSL: first, it encrypts the DNS query traffic between the DNS client and DNS server, and second, it allows the DNS client to authenticate the identity of the DNS server, which helps ensure that the DNS server is a trusted machine and not a rogue. The reason for this is that the domain IPsec policy will be used and DNSSEC certificate- based authentication will not be performed. The end result is that the client will fail the EKU validation and end up not trusting the DNS server. Control Over DNS Devolution. DNS devolution has been available for a long time in Windows DNS clients. No, it doesn’t mean that the operating systems are less evolved. Devolution allows your client computers that are members of a subdomain to access resources in the parent domain without the need to provide the exact FQDN for the resource. For example, if the client uses the primary DNS suffix corp. Notice that when the devolution level is set to two, the devolution process stops when there are two labels for the domain name (in this case, corp. Now, if the devolution level were set to three, the devolution process would stop with server. However, devolution is not enabled in Active Directory domains when: There is a global suffix search list assigned by Group Policy. Parent suffixes are obtained by devolution. Figure 2. Previous versions of Windows had an effective devolution level of two. What’s new in Windows Server 2. R2 is that you can now define your own devolution level, which gives you more control over the organizational boundaries in an Active Directory domain when clients try to resolve names in the domain. You can set the devolution level using Group Policy, as seen in Figure 3 below (Computer Configuration\Policies\Administrative Templates\Network\DNS Client). Figure 3. DNS Cache Locking. Cache locking in Windows Server 2. R2 enables you to control the ability to overwrite information contained in the DNS cache. When DNS cache locking is turned on, the DNS server will not allow cached records to be overwritten for the duration of the time to live (TTL) value. This helps protect your DNS server from cache poisoning. You can also customize the settings used for cache locking. When a DNS server configured to perform recursion receives a DNS request, it caches the results of the DNS query before returning the information to the machine that sent the request. Like all caching solutions, the goal is to enable the DNS server to provide information from the cache with subsequent requests, so that it won’t have to take the time to repeat the query. The DNS server keeps the information in the DNS server cache for a period of time defined by the TTL on the resource record. However, it is possible for information in the cache to be overwritten if new information about that resource record is received by the DNS server. One scenario where this might happen is when an attacker attempts to poison your DNS cache. If the attacker is successful, the poisoned cache might return false information to DNS clients and send the clients to servers owned by the attacker. Cache locking is configured as a percentage of the TTL. For example, if the cache locking value is set to 2. DNS server will not overwrite a cached entry until 2. TTL for the resource record has passed. The default value is 1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2016
Categories |