Domain Name Service (DNS) is a required component for smooth operation of Active Directory and many Internet-based services that we run on our networks. DNS was designed for convenience (it replaces the typing in of IP addresses and listing systems in host files for location over the TCP/IP protocol), not for security. The security issues inherent in DNS are not just Windows issues, but apply to any DNS server.
If you’re an IT consultant, it’s almost certain that you’ll have clients who need to quickly address DNS-related security concerns. I’ll show you how to tighten possible security problems on DNS service running on a Windows 2000 server.
First of two parts
The next article in this series on securing Windows 2000 DNS services will discuss best practices for implementing DNS in a Windows 2000 environment to minimize security risks.
Spoofing occurs when an intruder sends bogus information about a host system to a DNS server by altering IP packets. Users accessing this information are misdirected to the wrong system. Cache poisoning and recursive queries increase the likelihood of spoofing.
Cache poisoning occurs when information about a bogus or rogue system is placed and kept in the cache of a DNS server. In a recursive query, a client queries a DNS server for a record, say a Windows 2000 Active Directory server running DNS, and the record cannot be found in the cache of the DNS server. The DNS server forwards the request to another DNS server up the hierarchy, and then forwards the answer to the client. The problem is that a hacker can place bogus information in the path since a recursive query leaves a path between the DNS servers involved.
Denial of service
DNS servers, like any other Internet-based server, are susceptible to denial of service (DoS) attacks. DoS attacks either slow down your system or incapacitate it by flooding it with irrelevant transactions. DoS attacks can come from a single system or multiple systems simultaneously (called a distributed denial of service attack).
Unrestricted zone transfers
Zone files are created for each domain and contain records of each host system maintained by the domain, including e-mail servers. When a zone file is transferred from one DNS server to another, it is called a zone transfer. Unfortunately, DNS servers are often configured so that any DNS server can initiate a zone transfer from another DNS server. This means someone outside your organization might be able to transfer your zone file without your authorization.
What can you do?
You can make several quick configuration changes to the Windows 2000 DNS service to address these issues. Let’s take a look at those options.
Resolving cache poisoning
- Open the Microsoft DNS Service on a Windows 2000 server (Start Menu | Programs | Administrative Tools | DNS).
- Connect to the DNS server on which you want to make configuration changes.
- Select the name of the DNS server in the tree hierarchy in the left pane.
- Click the right mouse button and choose the Properties option.
- On the Advanced tab, select the check box for the Secure Cache Against Pollution option (see Figure A).
Logging updates and notifies
You can log two events to keep track of when changes are made to your Windows 2000 DNS servers: update events and notify events.
Update events occur when a record is dynamically updated on the DNS server. Notify events occur when one DNS server sends a notification message to a second DNS server indicating that a change has occurred on the first DNS server. Generally, this occurs between a master and slave DNS server.
To log these events, access the Properties option for the DNS server in question using the same four steps you use when resolving cache poisoning. Instead of using the Advanced tab, mark the check boxes for Notify and Update (see Figure B) on the Logging tab.
Recursive queries can occur when you have forwarding enabled. To prohibit recursion, access the Properties option for the DNS server in question. When forwarding is enabled, access the Forwarders tab and mark the check box for Do Not Use Recursion (see Figure C). Note: If a server you have forwarded to is set up for recursion, this is not an option for you.
Only allow secure, dynamic updates
The Windows 2000 DNS service allows dynamic updates to be made to host records for Active Directory-integrated domains. These updates should be done only when proper authentication, integrity, and confidentiality occur. By default, this option is enabled within the DNS service.
To check this setting, access the Properties option for the zone file of the domain in question. On the General tab, make sure that the Only Secure Updates option is selected in the Allow Dynamic Updates field (see Figure D).
Restrict zone transfers
Another method to increase security is to limit the DNS servers that can initiate zone transfers from your DNS server. To set this feature, access the Properties option for the zone file of the domain in question. On the Zone Transfers tab, select either the Only To Servers Listed On The Name Servers Tab or Only To The Following Servers option (see Figure E). If you choose to list the servers to which zone transfers can be made, type the IP address for each server.