DNS - is rather simple service, but its entire network infrastructure dependent, so it is very important to ensure her safety. Even though the DNS - it's just a database with the names and numbers, the attacker can acquire this information from the database jeopardized. Some attacks can be carried out to collect data from your database in order to continue to use this information against you in order to build the structure of how your network looks like.

Primary DNS

DNS, or Domain Name Service (Domain Naming Service) - a service that allows to convert names into IP addresses. The key here is to understand that what names involved. As the name, DNS stores information associated with the domain. For example, the Active Directory uses DNS for all domain names (domain name) and the names of all computers in the network. If the domain name is policy.org, and the first domain controller (domain controller) in your domain is PDC1, then you will be in the DNS record similar to that presented in Figure 1.

Securing DNS within Active Directory

The first decision that you have to take is related to the type of database DNS database, which you are going to configure your domain to support Active Directory domain. You can store information in a standard database (standard DNS database), which will be the master server (primary DNS server) and additional server (secondary DNS server), or you can make the database DNS database has been integrated into Active Directory , as shown in Figure 2.

Strictly, it is recommended that your server's DNS server to be integrated into Active Directory, if they support Windows Active Directory, because of the advantages in the security that you get with this. It also achieved some redundancy and stability DNS database of this type, but in this article we focus on the security aspects.

The main advantage for the security that you get in your database integration DNS database in the Active Directory - a dynamic updates (dynamic update), the configuration of which can be seen in Figure 3. Dynamic updates - is a key opportunity DNS, which allows computers to automatically register their domain names and IP addresses in the DNS server at the entrance to the network or change IP addresses via DHCP server. This format eliminates the need to manually update the entry of names and IP addresses in the database DNS database, as was the case previously. Aspect security come into play when the automatic updating of client could open the door to the DNS database for making illegal modifications. Therefore, dynamic updating security guarantee that the computer, which seeks to update the server DNS server also has a record in the database Active Directory database. This means that only the computers that are connected to the domain Active Directory domain can implement dynamic updating of the database of DNS database.

Implementation of dynamic updates via DHCP

Under Windows environment you have an opportunity to adjust to the implementation of DHCP dynamic updates on the client. This is not required for computers running operating systems Windows 2000/XP/Server 2003/Vista, but requires a computer running Windows NT/9x operating system. In some cases, this is not just a convenient, but also requires that the DHCP server upgrade implemented on client computers.

Underwater stone in this configuration is that the DHCP server are now owners of records, prohibiting other DHCP servers or clients to update the record in the future. To solve this, there groups DNSUpdateProxy group. To solve this problem, add accounts (account), a DHCP server in the group, bringing the record in the DNS for these customers free of access control list (Access Control List, or ACL). The new list will include ACL user is authenticated (Authenticated Users), who will be able to update the DNS records for a client. This is designed to ensure that other DHCP server, or even customers have been able in the future to update records in the DNS for this customer.

Name: 8998.jpg Views: 452 Size: 20.3 KB

Security in providing authenticated users (Authenticated Users) ability to update customer is not bad enough, but there is another problem. If you install the DHCP on the domain controller (domain controller), then add the computer to the group, the result of all records, which were made domain controller would have the same ACL is free. And these records for the domain controllers are so important to the security and stability of Active Directory that concern for their safety is one of the important interests of your organization. Entries that there can be opened include recording SRV (Service Resource Records), which govern the way in which clients and servers are Active Directory service within the network. This includes Kerberos, site, TCP, IP, and many other records SRV.

Therefore, a solution to this problem is to install no DHCP on your domain controllers (domain controller). If you have a DHCP installed on the domain controllers, the best way to prohibit these servers exercise DHCP dynamic updates for customers. Otherwise, you can add an unsafe settings for a domain controller in the DNS.

As you saw, DNS - this is a simple, but potentially complex service. In response to only one task to transform names into IP addresses, or vice versa, you can imagine that it is very easy to set up and ensure its safety. However, there are preferences that lead to a more secure and stable environment DNS. First, through the integration of a database DNS database in the Active Directory achieved smooth compatibility with Active Directory, as well as the ability to perform secure dynamic updates. These secure dynamic updates help in the protection of foreign entries in the database DNS database from computers that are not part of the domain. Thanks to these dynamic updates, the client can implement them as they wish, or to shift the task to the DHCP. If you choose to use DHCP and DNSUpdateProxy group, you should make sure that this does not translate configuration of your domain controller records in DNS. The simple solution for this is that the task is not performed DHCP your domain controllers.
In the last article, I talked about some of the basic aspects of DNS security, and also including some very foundations of DNS.
Name: 6546.jpg Views: 482 Size: 24.1 KB

The transfer zones (Zone transfers)

When it comes to DNS zones, you must understand that there are different types of zones that you should allocate in its midst DNS. While we have focused only on a few of the possible areas, there is a list of areas that you can get in his DNS:

• Zone, integrated into Active Directory
• The primary zone (Primary Zone)
• Additional Zone (Secondary Zone)
• Zone plugs (Stub Zone)

The interface is fairly clear transmission zones of your options, as you can see in Figure 4. You can either allow "any" DNS server to receive basic content area (primary zone), or you can narrow it is a lot to a few DNS servers at your discretion. Of course, for security reasons, you should narrow the scope of the DNS server that are authorized to receive the IP addresses and domain name for all the computers in your organization!

The security transfer zones

You can also ensure the safety zone transfer DNS zone transfers to another level. Securing DNS - is not a radical concept, most companies now make additional settings for the transfer of security zones DNS zone transfers. There are several options to ensure the safety and DNS zone transfers. It all depends on how your environment is configured DNS.

Forwarding (all four types)

The first - is a standard call forwarding, as shown in Figure 5, in which all requests, not involving the DNS server involved in the process, transferred to other server DNS… redirected. This is ideal in situations where you have an internal DNS server, which is used for all domestic titles and Active Directory. This DNS server configured for all customers. However, the DNS server does not know anything about the names on the Internet. Therefore, when the DNS server receives a request for the Internet, such a request is transmitted to another DNS server, which can accommodate this request. This helps you protect the internal DNS server from the use of computers, which are external to your network.

Summary

DNS can be complex, but after a more detailed examination, he already seems less complicated, and it can be properly secure. In this article, you saw that DNS can protect the database, tailored to the correct DNS servers, which must pass a zone transfer. In such a situation, your main areas, or zones, which are integrated in the Active Directory will be of special additional DNS server, with which they will interact. Without this configuration, hacking DNS server can obtain important information about your network. Another possibility for safety DNS. Safety DNS servers can be achieved through integration with Active Directory, or at the expense of more modern technologies such as IPSec or VPN tunnel. Finally, the control of the DNS can redirect to guarantee a more accurate conversion of names, and it also helps protect your internal DNS server from hacking.