Good Steps to Secure Your Windows DNS infrastructure


I am going to discuss some common DNS attacks which i have seen so far. There could be more and it would be great if you share your experience in the comments. So that others would be already aware about these attacks.

Including my experience i found some valuable information on internet and combined everything here.

Zone file compromise
Zone file compromise can be done only in few circumstances, when someone has access to the server physically or connected remotely or logged on over Telnet.
You have to make sure that your DNS servers are properly locked down so that only authorized people are allowed to access DNS Servers. Any remote access method to the DNS servers should be restricted.

Zone information leakage
If you have public and private zones on same DNS server, it is recommended to split them between separate DNS servers, public zones on different DNS server and private zones on different DNS servers.
If zone transfer is enabled, it should not be open for all IP. It is like you have done a big favor for an attacker. You make sure that you mention only trusted IP addresses in Zone transfer so that it gets transfer between your trusted network.

Compromised dynamic updates
- Always use DHCP to controlling DNS records of all intranet machines. Keep separate range for static or manual records.
- Enable Name Protection on DHCP scope which are controlling all DNS records, so that any Non-Windows record will be declined if it has the same name which already existed in DNS.
- Enable DNS scavenging so that all stale records gets delete when they become stale.
- Restrict the access who can join system to the domain.
- Best to use Active Directory integrated Zone.

DNS client flooding (denial of service)
Use Forward DNS server to hide your internal DNS servers from public and use Cache DNS server to reduce the load of your internal DNS server.
Internal machines should not resolve public hostname themselves, they should send this query to DNS forwarder server and the server resolves this query for them.

Cache poisoning
You have to change "CacheLockingPeriod" of DNS server to the value which solves your concern.
Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, the DNS server does not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This value means that the DNS server will not overwrite cached entries for the entire duration of the TTL.

Least Critical Settings to Secure your DNS Infrastructure

Randomize your DNS source ports
By default, there are 2500 source ports available on which DNS server gets query from clients. Client choose any port as source and destination port till the time its query gets resolved.
You can change it to 10000 by below mentioned command.
dnscmd /Config /SocketPoolSize<value>
To check the current pool size. Here is the command.
dnscmd /Info /SocketPoolSize

Lock down the DNS cache
Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, the DNS server does not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This value means that the DNS server will not overwrite cached entries for the entire duration of the TTL.
CMD command to change "CacheLockingPercent"
dnscmd /Config /CacheLockingPercent<percent>
Powershell command to change "CacheLockingPercent"
Set-DNSServerCache -LockingPercent <percent> -ComputerName "SERVER01"

Global Query Block List
Names could be excluded from being answered by the DNS server by adding them to the Global Query Block List. By default, the names WPAD and ISATAP are automatically included in the DNS server Global Query Block List. This means that even if you add a resource record for WPAD or ISATAP, the DNS server will not answer queries for those names.
Command to check current list of Global Query Block List
dnscmd [<ServerName>] /Info /globalqueryblocklist
Command to edit Global Query Block List
dnscmd [<ServerName>] /config /globalqueryblocklist [<name> [<name>]...]
Command to enable or disable Global Query Block List
dnscmd [<ServerName>] /config /enableglobalqueryblocklist 0|1

High Critical Settings to Secure your DNS Infrastruture

Disable Recursion
If you feel that some of your DNS servers should not go to other DNS server internally or externally to solve queries. You can check "Disable Recursion" option under "Advance" of DNS server properties.
Important Note: If you do this, it will remove and disable all forwarders from DNS server properties.

Restrict DNS servers to listen on specific addresses
Under DNS server properties, there is a option of Interfaces. You can select the interface on which you want to get DNS queries. Before doing it, you have to make sure that you are doing it on the correct interface. Else, no DNS query will come on to this DNS server.

Consider using a private root hints file
Root hints are used to let the DNS server know where to start the recursion process.
You can modify or delete root hits if you don't any public DNS query to be resolved.
You need to check "Root Hints" option under DNS server properties.

Thank you. Please share your comments.

0 comments:

Post a Comment