October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015

April 19, 2023 University of Tulsa - Center for Information Security

Microsoft Windows 2000 DNSMicrosoft Windows 2000 DNS

April 19, 2023


History of DNSHistory of DNS

• Before DNS: Hosts.txt file• For a good summary of the history of DNS:• http://www.whmag.com/content/0601/dns

/page3.asp


DNS Standard DNS Standard DocumentsDocuments

• This is listed out on the web. This site contains RFC numbers and RFC drafts.

• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dnsstartpage_2lgl.asp?frame=true


What is DNS?What is DNS?

• Stands for Domain Name System• Locator Service that translates user

friendly names (such as www.utulsa.edu) into addresses that the network can recognize (129.244.1.91)

• Primary locator service for Active Directory; therefore considered base service for both Windows 2000 and Active Directory


Example Using DNSExample Using DNS

• Alice would ask who was the authoritative for all of the host names at site B.

• Alice would receive an answer such as “nmServerB”

• Alice asks nmServerB “What is Bob’s IP address?”

• nmServerB replies to Alice with Bob’s IP address

• With Bob’s IP address, Alice can begin direct communication with Bob


The Domain NamespaceThe Domain Namespace

• Tree data structure that contains DNS’s distributed database indexed by domain names– Each node has a text label different than all other siblings

• Domain name : sequence of labels on the path from that node to the root– Data associated with a domain name is stored in a

resource record

• Domain : subtree of the domain namespace


The Internet Domain The Internet Domain NamespaceNamespace

• Top-Level domains : com, edu, gov, mil, net, org, int, arpa, and geographical designations (uk, us, bm, aq)

• Reading domain names:– lithium.cchem.berkeley.edu– www.utulsa.edu– www.cis.utulsa.edu


DelegationDelegation

• Goal: decentralize administration• Delegate administrative duties to

subdomains– Retain pointers to the sources of the subdomains data– Queries can then be referred to authority for subdomain


Name Servers and ZonesName Servers and Zones

• Programs that store information about the domain namespace are called name servers

• Name servers have complete information about some part of the domain namespace, called a zone– The name server is then said to have authority over that

zone


Types of Name ServersTypes of Name Servers

• Primary master name server reads data for the zone from a file on its host

• Secondary master gets zone data from the name server that is authoritative for the zone– Zone transfer : when the secondary master retrieves

zone data from the primary master


ResolversResolvers

• Clients that access name servers• Handles:

– Querying the name server– Interpreting responses– Returning the information to the programs that

requested it

• In Windows 2000, a resolver is a set of library routines


ResolutionResolution

• Resolution is the process of searching through the domain namespace to find data for which they’re not authoritative– Only requires domain names and addresses of root name

servers

• Root name servers refer requests to the top level domain server the domain name ends in

• In turn, each name server queried will provide either the answer or refers the request to a “closer” name server


Recursion / IterationRecursion / Iteration

• Recursive query– Places most of the burden of resolution on a single name

server– Queried name server is obliged to respond with the

requested data or with an error (can’t just refer query to a different name server)

– A name server that receives a recursive query that it can’t answer itself will query the “closest known” name servers

• Iteration– Name server gives best answer it already knows– If it can’t directly answer the query, the name server will

return a query to all name servers listed in its local data


Choosing Between Choosing Between Authoritative Name Authoritative Name

ServersServers• The Microsoft DNS Server uses roundtrip

time (RTT) to choose between name servers authoritative for the same zone– RTTs are averaged in after each query– Average initially set very low so that each server will get

queried before choosing favorites


Mapping Addresses to Mapping Addresses to NamesNames

• Forward (names to addresses)– Straightforward search through a host table on the name

server

• Reverse (addresses to names)– in-addr.arpa domain– Portion of the Internet domain namespace that uses

addresses as labels


CachingCaching

• Saves information about previous resolution processes

• The Microsoft DNS Server even implements negative caching : if an authoritative name server responds to a query saying the domain name doesn’t exist, this information is cached as well

• This cache data is given a time to live (TTL) for the data


Securing Microsoft Securing Microsoft Windows 2000 DNSWindows 2000 DNS

• From the NSA Security Recommendations for Windows 2000

• http://nsa1.www.conxion.com/win2k/download.htm


Zone Information Zone Information SecuritySecurity

• Converting to an Active Directory Integrated Server

• Zone File and Registry Security


Converting to an Active Converting to an Active Directory Integrated Directory Integrated

ServerServer• Requires DNS server to be on a Windows

2000 Domain Controller• Do a change zone type to Active Directory-

integrated– Zone information stored, replicated, and secured in the

Active Directory– Choose “only secure updates” option for Dynamic

Updates– Recommended


Zone File and Registry Zone File and Registry SecuritySecurity

• If zone information not stored in Active Directory, should secure the zone files– Folder: “%SystemDirectory%\DNS”– User Groups: System– Recommended Permissions: Full Control

• All DNS Servers should have the registry secured– Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Services\DNS”

– User Groups: Administrator, System– Recommended Permissions: Full Control for both groups


Controlling Zone Controlling Zone TransfersTransfers

• Four options for zone transfers– Do not allow zone transfers

• Can still receive zone transfers and can respond to DNS queries– Allow zone transfers to any server

• Not recommended– Allow zone transfers to all servers listed in the Name Servers

property tab• Recommended when zone transfers will only be done within one

domain– Allow zone transfers to a specific list of IP addresses

• Recommended when communicating between protected DNS servers and a DNS server that can be accessed from the internet

• Never transfer the forward lookup zone containing active directory records to any server that can be accessed via the internet


DNS Server DNS Server ConfigurationsConfigurations

• Several deployment methods for DNS in a Win2K environment

• DNS in an Enclosed Environment• DNS with an Internet Presence• DNS with an Internet Presence with

Reverse Lookup Requirements• DNS with Internet Presence with Forward

and Reverse Lookup Zone Requirements


DNS in an Enclosed DNS in an Enclosed EnvironmentEnvironment

• External router and firewall should block all DNS traffic (UDP and TCP port 53)

• DNS zones should be made Active Directory Integrated and only allow zone transfers to servers listed in the Name Servers tab


DNS with an Internet DNS with an Internet PresencePresence

• Separate the External DNS server from the DNS servers that are being utilized for the Windows 2000 domain

• Secure zone transfers to a specific list of servers, or no servers. If several servers are used within one DNS domain then control transfers using Name Servers Tab

• Secure file system and registry• Disable all unnecessary services• Disable dynamic updates• Internet name resolution from internal network can be

provided by forwarding requests to external DNS server


DNS with an Internet DNS with an Internet Presence with Reverse Presence with Reverse Lookup RequirementsLookup Requirements

• Disconnected Reverse Lookup Zone– Add a reverse lookup zone to the external DNS server that

contains a list of all the internal network IP addresses– Match each IP with a fictitious client name with the appropriate

extension. This allows the IPs to be verified.– Recommended

• Secondary Reverse Lookup Zone– Add a reverse lookup zone to the external DNS server as a

secondary zone to the internal network.– Add the external server to the list of valid DNS servers to allow

zone transfers to on one internal DNS server.– Configure router & firewall to allow communication between

the external and internal DNS servers.– Will show the internal server’s Start of Authority record in

reverse lookup zone


DNS with Internet DNS with Internet Presence with Forward Presence with Forward & Reverse Lookup Zone & Reverse Lookup Zone

RequirementsRequirements• This configuration is not recommended, but may be

necessary.– Exposes server records to internet– Allows attackers to completely map internal network

• Use a secure tunneling protocol between sites to secure zone transfers and protect the internal DNS server records. (Good)

• Add only the specific server records that are required for the network to function in the external DNS servers (Worse)

• Configure one external DNS server’s forward and reverse lookup zones to be secondary zones of one internal DNS server’s zones (Worst)


Router and Firewall Router and Firewall SettingsSettings

• DNS traffic: port 53 (UDP and TCP)– UDP 53: client queries– TCP 53: zone transfers

• Zone transfers not necessary outside protected network– TCP 53 should be disabled at internal, external, firewall,

and DMZ routers

• If DNS configured to allow zone transfers between internal and external servers, then the internal router, firewall, and DMZ routers should allow connections on TCP 53 between those two servers only


Questions?Questions?