Developer

Lock IT Down: Secure your DNS servers by editing the registry

Learn the registry tricks to make Windows DNS more secure


Whether it’s configurations within Microsoft DNS service that can be used to make a server more secure, or additional operating system and network environment configurations, there are small measures you can take to help offer greater security for your clients. Here’s a look at some easy DNS-related tips to tighten your client’s security.

Second of two parts
This is the second of two articles that discuss small steps consultants can take to improve security for their clients. The first article in this series discussed quick fixes to secure Windows 2000 DNS services.

Environmental configuration for DNS
DNS servers that manage Active Directory-integrated domains have similar security requirements to domain controllers. Options for securing these are as follows:
  • Place the DNS server behind a firewall. Do not run a DNS server with Active Directory services on the Internet.
  • If you require communication between your network and the Internet (or external WANs), place a DNS server (not managing Active Directory-integrated domains) that will communicate with your network and the Internet outside your firewall.
    Some of you will choose to use your Internet service provider’s DNS servers for this purpose. Place a second DNS server—which can manage Active Directory-integrated domains—inside your firewall. This second DNS server will forward requests to the DNS server outside the firewall for DNS requests.
  • Configure Active Directory-integrated domains to use private domain names (for example, techrepublic.local or techrepublic.pbs) or any first-level domain (for example,.local, .trm, .pgf) that isn’t recognized by the public Internet. If you choose this option, you won’t be able to forward DNS requests to DNS servers on the Internet. You can get around this by using a proxy server for clients to send DNS requests over the Internet.
    Caution: Consider this carefully. If this is your first domain in the first Active Directory forest, you cannot rename without re-creating your Active Directory structure.
  • Use private IP addresses (for example, 10.0.x.x or 192.168.x.x) instead of public IP addresses that are recognized over the Internet. Note: This won’t necessarily help you if you allow traffic to come through your firewall. If an individual gets access to a system on the network from the outside, that person may still be able to locate the DNS servers on the network.

Minimizing DOS attacks
Several registry settings can be used to minimize the likelihood of denial of service (DoS) attacks on a DNS server (or any server, actually). I recommend that, before you attempt to make any changes to the registry on a production system, you test these settings on a non-production server and back up the registry from the production server.

All registry key settings will be configured under this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Table A outlines the settings you can use.


Table A

Value Name

Value Type

Description

EnableDeadGWDetect

REG_DWORD

This allows TCP/IP to switch to a secondary gateway when many connections are having problems. This is not desirable in the case of denial of service attacks because traffic could be directed to a gateway that is not monitored. Set this value to 0.

EnablePMTUDiscovery

REG_DWORD

This allows TCP/IP to determine the maximum transmissions unit (MTU) that can travel over a path to the system. The size of the segments will be limited to this size. However, hackers can force the transmission to a very small size that can cause the TCP/IP stack to be overcome. If you set the value to 0, the MTU will always be set for 576 bytes.

KeepAlive

REG_DWORD

This sets how frequently an idle connection on a remote system should be verified. Set the value for 300,000.

SynAttackProtect

REG_DWORD

This works against a specific type of denial of service attack called a SYN Flood Attack. SYN Flood Attacks interfere with the normal acknowledgement handshake between a client and a server. The normal process is:

1. The client sends a SYN message to the server.

2. The server responds with a SYN-ACK message.

3. The client solidifies the connection by responding with an ACK message.

If a server is under attack, it will get a flood of connection requests from a bogus system. The server will never get the final ACK message from the client, so the server’s memory structure will get filled up with invalid connections, thereby eliminating the ability of legitimate systems to connect.

The recommended value is 2. This will timeout TCP connection attempts more quickly if a SYN attack is in progress. Caution: if you set this option, sockets for TCP parameters, (e.g., window size, and scalable Windows) will no longer work. You can also set the value to 1, but it is not as strong a prevention as setting the value to 2.


Accessing the registry
To access the registry, complete the following steps:
  1. Access the Start menu and choose Run.
  2. Type REGEDIT.
  3. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
  4. Create a new value setting (see Table A) by selecting Edit Menu | New | DWORD.
  5. Type the name of the value in the selected item in the right panel.
  6. Double-click the name of the value.
  7. Type the value.
  8. Click the OK button.
  9. Repeat steps 4 through 8 for each value name you want to set.

Editor's Picks

Free Newsletters, In your Inbox