8/14/2019 Securing Windows 2000 DNS by Using Configuration

http://slidepdf.com/reader/full/securing-windows-2000-dns-by-using-configuration 1/6

Securing Windows 2000 DNS by using configuration (Part 2)

Several configuration methods and a quick configuration guide have been devised to assist organizations in the secure configuration of 

their DNS servers. This document is intended to provide clarificationwhen enabling the operational configuration requirements of theorganizations configuration of secure DNS.

This white paper will focus using DNS configuration with the intent to secure DNS. A previouswhite paper has been written on DNS security design and using both white papers will allow a

more holistic view on DNS security. Click here to read Part 1. This white paper demonstrates the

importance of securing your Windows network’s DNS service and the features, functionality andsecurity of the DNS server by manipulating configuration. Several configuration methods and a

quick configuration guide has been devised to assist organizations in the secure configuration of their DNS servers. This document is intended to provide clarification when enabling the

operational configuration requirements of the organizations configuration of secure DNS.Knowing that windows 2000 and above relies heavily on the functioning of DNS, your focus

should be on securing your valuable DNS server. Windows DNS is one of the fundamental

services that are used by all windows 2000 networks that conform to the domain or forest treemodel. It is a good idea to keep this service as secure as possible as most of your server service

like Microsoft ISA, exchange 2000, and any other communication software has serious

dependencies on the flawless execution of the DNS service.

DNS and the operating system.Irrelevant of witch operating system chosen it is imperative that the operating system be

toughed. When a windows system is installed you will find that administrative shares and

 printers are covertly available to anyone that understands how to manipulate the system. It isimperative that all unused accounts be removed from the machine installed and that the

administrative account be renamed on the machine and a dummy account created called

administrator with the lowest privileges available. All default shares should be unshared andunused services stopped. A DNS server should be dedicated only to DNS. This will insure that

no other software is installed on the machine that may have certain vulnerabilities latent within

the software. Ensure that the multitude of hot fixes and security patches have been applied to

the DNS server.

Configuration considerations.

1. Ensure that the operating system has all the latest service packs applied to it.

2. Ensure that administrator account is well protected.

3. Ensure that the DNS machine has been configured so that no other service other thatDNS is running.

8/14/2019 Securing Windows 2000 DNS by Using Configuration

http://slidepdf.com/reader/full/securing-windows-2000-dns-by-using-configuration 2/6

8/14/2019 Securing Windows 2000 DNS by Using Configuration

http://slidepdf.com/reader/full/securing-windows-2000-dns-by-using-configuration 3/6

8/14/2019 Securing Windows 2000 DNS by Using Configuration

http://slidepdf.com/reader/full/securing-windows-2000-dns-by-using-configuration 4/6

The diagram above depicts how NAT can only show the outside world the pubic IP address of 

the DNS server.

Secure router configuration

When configuring your router the configuration should be written so that the IP route to your 

DNS server should be only allowing TCP and UDP port 53 accesses the IP address of the DNS

server. In this way both the router and the firewall drop any packet that is destined for the router that is not a DNS query.

This checklist has been devised as a comprehensive checklist of the suggested configuration of 

Windows 2000 summary.

DNS in an Enclosed Environment

1. Disable any unused services.2. Make DNS zones Active Directory Integrated.

3. Transfer zones to servers listed in the Name Servers tab only.

4. Block both UDP and TCP port 53 at external Routers and Firewalls.

 Figure A: the diagram above depicts DNS in a closed environment. Web based DNS requests are forwarded to the Internet and internal DNS requests are forwarded tot the internal DNS server.

 Keeping the two DNS servers separate has great security advantages.

8/14/2019 Securing Windows 2000 DNS by Using Configuration

http://slidepdf.com/reader/full/securing-windows-2000-dns-by-using-configuration 5/6

DNS with an Internet Presence

1. Separate External DNS should handle Internet DNS requests.

2. Disable any unused services.3. Leave the HINFO information un-configured as it can reveal pertinent information about

the server platforms to intruder that need this information for the purpose of find arespective software exploit that matches the operating system or software that you are

running.4. %SystemDirectory%\DNS folder, subfolder and files to only allow system full control.

5. Set the ACL on HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS

to System Full Control.

 Figure B: The diagram above depicts DNS in an environment with Internet presence; Queries

are sent into the DMZ and then forwarded back to the ISP DNS server.

Secure the Internal DNS

1. Disable any unused services.

2. Block UDP and TCP port 53 at peripheral routers and firewalls.

3. When using zone transfers, allow TCP port 53 through the peripheral routers and firewallconnecting the Internal and External DNS servers only.

4. Convert DNS zones to Active Directory Integrated zones.

5. Only allow zone transfers to servers listed in the Name Servers tab only. Don’t allow

transfers to forward lockup zones to External DNS servers.6. Only allow transfers of Reverse Lookup Zones to External DNS servers if necessary.

ConclusionBy configuring DNS for secure execution security professionals can uphold the integrity of their 

DNS machines. This in turn increases reliability and productivity of the DNS server and ensuresthat organization communication flows though in its abundance. A multitude of patches and hot

fixes are released constantly and keeping up-to-date with these will increase your level of 

 protection by at least two fold. If your configuration is incorrect no level of hotfix will fix thatand this statement highlights the importance of secure configuration. A great tool that can be

8/14/2019 Securing Windows 2000 DNS by Using Configuration

http://slidepdf.com/reader/full/securing-windows-2000-dns-by-using-configuration 6/6

used on your machines that can look for vulnerabilities and keep you abreast of vulnerabilities is

LANguard by GFI. This tool takes the pain out of the task keeping a system manageable and cost

effective. Looking for additional vulnerabilities on security websites like windowsseurity.comalso helps you to keep up to date with the latest security fads keep it up because if you are not

 prepared to rest assured there are an abundance of intruders that are.

DNS and its functions.

DNS is used by active directory to locate domain controllers and to resolve IP addresses intoFQDN’s (fully qualified domain names). It is not stressed enough that without a fully functional

DNS structure active directory will not function as intended. There is various available security

settings for that can be manipulated when using Windows 2000 Domain Name System (DNS)Server Service. In many cases the leverage is in the how the DNS has been designed a secured.

 Note recommendations are made through out this white paper and in order to follow them

through, part of the process undertakes the task of running with the recommendation in a test lab

environment. This quality assurance process should shadow your production system closely.After you are happy with the process of the recommendation then it is up to you to transfer the

application of the theory onto your production environment.