Advanced Windows Server 2012 DNS configuration options
Windows server 2012 offers some advanced configuration options that allows you to improve the security and performance of your DNS infrastructure. Let’s review some of them:
DNS Security Extensions (DNSSEC). The DNS protocol does not have any built-in capabilities to ensure authentication or check the integrity of the DNS information that is exchanged between DNS servers or delivered to DNS clients. This known vulnerability can be exploited by attackers who may be able to hijack the name resolution activity when users are trying to reach a website on the internet. One purpose of the attacker could be to take control of the process and redirect the user’s browser to a phony scam website where the user is asked to enter personal information like username, password, credit card, bank account or social security numbers. DNSSEC uses Public Key Infrastructure (PKI) certificates with the DNS protocol to allow the DNS servers to validate DNS responses. With DNSSEC, an administrator can digitally sign a DNS zone, which is a way to digitally sign all the records within that zone.
When a DNS query is issued for a resource record in a signed zone, a digital signature is returned with the response so that validation can be performed. The validation process ensures that the data has not been modified or tampered with and can be trusted by the DNS resolver.
DNSSEC Resource Records
New resource record types are associated with DNSSEC. The signatures that are generated after implementing DNSSEC are contained within the DNS zone as a Resource Record Signature (RRSIG). When the DNS server responds to a name resolution query, one or more RRSIG records are returned in the response. A public cryptographic key that is stored in a DNSKEY resource record is used to verify the signature. The DNSKEY record is retrieved by a DNS server during the validation process. If no matching resource record is found, that means that there is no RRSIG record, however the DNS server response must still be validated, for in these cases the Next Secure (NSEC) records are used. A validator can use the NSEC record as proof that the name does not exist. The NSEC3 is a better alternative to the NSEC record; both are supported by Windows Server 2012.
Trust Points and Name Resolution Policy Table
Two important components of a DNSSEC implementation are Trust Points and Name Resolution Policy Table.
Trust Points. These provide a way to share the public key used to validate the RRSIG record’s digital signature with other trusted DNS servers. If the DNS server is running on a domain controller, trust points can be stored in the forest directory partition in Active Directory Domain Services (AD DS) from which they can be replicated to all DNS servers running on domain controllers in the forest.
Name Resolution Policy Table (NRPT). It lists zones or namespaces that perform DNSSEC queries and those that do not. It is possible to use either group policy or Windows PowerShell to configure the NRPT to require that DNSSEC validation be performed on DNS responses on select namespaces.
DNS Socket Pool and Cache Locking
DNSSEC is designed to protect the DNS clients’ name resolution queries from forged DNS data, including DNS cache poisoning. Socket Pool and Cache Locking are two more advanced configuration options that may help strengthen your DNS security.
DNS Socket Pool.This feature allows the DNS server to use a random source port out of a preconfigured range when sending DNS queries. By not using the same port for each new DNS query, the socket pool improves protection against DNS cache poisoning attacks.
Cache Locking. When cache locking is enabled, the DNS server will not allow cached records to be overwritten for the duration of the time to live (TTL) value on the DNS record. This feature protects the DNS cache records against possible DNS cache poisoning attacks by malicious users on the Internet.
Cache locking is configured as a percent value. Let’s say that you set the cache locking value at 75, the DNS server will not overwrite a cached entry for 75% of the duration of the TTL. By default, the cache locking percent value is 100 meaning that cached entries will not be overwritten for the entire duration of the TTL.