Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2012 : Implementing DNSSEC (part 1) - Benefits of DNSSEC, DNSSEC in previous Windows Server versions

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
5/2/2014 2:50:33 AM

DNS provides a user-friendly way of naming hosts and services on a TCP/IP network. DNS servers perform name resolution to convert DNS names into IP addresses so that DNS clients can access network services. DNS servers thus play a critical role in enabling users and applications to locate hosts and services on the network or on the Internet. However, no authentication or integrity checking is done when name resolution is being performed using traditional DNS. As a result, communications between DNS clients and servers is inherently insecure, and by spoofing DNS traffic or otherwise poisoning the DNS cache on clients, an attacker could hijack network communications and redirect users and applications to malicious sites and services.

To help organizations address this problem, Windows Server 2012 includes enhanced support for DNS Security Extensions (DNSSEC), a suite of extensions that add security to the DNS protocol by enabling DNS servers to validate DNS responses. In a practical sense, this enables users to be confident that the site they are accessing on their corporate intranet is in fact the site they believe it to be, and not some malicious site masquerading as a legitimate site. This lesson helps you understand the benefits of DNSSEC, how it works, and how to implement it in an Active Directory environment based on Windows Server 2012.

Benefits of DNSSEC

DNS is used for locating resources on a TCP/IP network and the Internet. For example, when a user types www.bing.com into the address bar of Internet Explorer, the DNS client on the user’s computer sends a name query request to a DNS server. The DNS server then either responds with the IP address for the site being accessed (Bing) or forwards the query to another DNS server for consideration. When the client has the site’s IP address, it can access the site to download content.

But the question arises, how can the user or application be confident that the site being accessed is genuine and not some fake site masquerading as the real one? To a certain extent, the Secure Sockets Layer (SSL) protocol already does this. SSL is used whenever the user or application accesses a resource using Secure HTTP (HTTPS).SSL does this by authenticating the site being accessed and encrypting the data returned over the network. However, SSL is of no use if the DNS server being queried returns a spoofed IP address instead of the real one. This could be accomplished, for example, if a malicious DNS server intercepted name-resolution traffic and inserted a spoofed response to a query from a DNS client or a recursive DNS server. And not only could such an attack hijack a particular DNS session, it would also poison the local DNS cache on the client server, recursive server, or both, which could lead to further erroneous responses to name-resolution requests until the cache data expired.

To address these issues, the Internet Engineering Task Force (IETF) developed DNSSEC to add a layer of security to the inherently insecure DNS protocol. Specifically, DNSSEC helps prove two things:

  • The information the client is accessing is coming from the correct source. In other words, it confirms the authority of the originator of the data being returned by a DNS server.

  • The information you have received is the same as the information that was sent. In other words, it confirms the integrity of the data being returned by a DNS server.

DNSSEC also provides authenticated denial of existence when the information the client is trying to access does not exist. In other words, it provides proof that the site being requested really doesn’t exist.

What DNSSEC does not provide is confidentiality of the data being returned by a DNS server. In other words, it does not guarantee that the data hasn’t been intercepted and examined while en route to the client. DNSSEC also does not provide any protection against a distributed denial of service (DDoS) attack against an organization’s DNS infrastructure. So while DNSSEC provides two of the requirements of the information security CIA triad (Confidentiality, Integrity, and Availability), it is not in itself a complete solution to the problem of protecting an organization’s DNS infrastructure and traffic.

Note

Why you should deploy DNSSEC

There are several reasons why organizations today need to consider deploying DNSSEC in their Windows Server–based environments:

  • DNSSEC provides protection from DNS cache poisoning and other types of attacks that can compromise an organization’s security.

  • DNSSEC provides an additional layer of security for enterprises that have private clouds deployed or use extranets for business communications.

  • Revision 3 of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 mandates the requirement of DNSSEC for internal DNS zone signing on U.S. federal government information systems.

In addition, DNSSEC is likely to become a regulatory requirement for some industries, such as finance and banking.

DNSSEC in previous Windows Server versions

Basic support for DNSSEC was introduced in Windows Server 2003 to allow DNS servers to act as secondary DNS servers for existing DNSSEC-compliant secure zones. Windows Server 2003 DNS servers, however, were not capable of signing zones and resource records or validating the Signature (SIG) resource records. In addition, all DNSSEC configuration had to be performed by editing the registry on DNS servers.

Support for DNSSEC was enhanced in Windows Server 2008 R2 but was limited by being intended as a solution only for file-backed, static zones and not for dynamic Active Directory integrated zones. The DNS server command-line management tool (Dnscmd.exe) could be used to perform offline key generation and zone-signing capability through a signing tool. Windows PowerShell scripts were later released through the TechNet Script Center for performing DNSSEC administration tasks such as signing zones and for adding, rolling over, and verifying trust anchors. However, the DNS client in Windows 7 and Windows Server 2008 R2 is DNSSEC-aware but nonvalidating. In other words, the DNS client can examine a response received from a DNS server to determine whether the response has been validated by the DNS server, but the client cannot itself validate the response it receives from the DNS server. This means that some other method, such as Internet Protocol security (IPsec), must still be used to secure the last mile between the client and its local DNS server, even when DNSSEC has been configured on DNS servers running Windows Server 2008 R2.

Windows Server 2012 now includes full DNSSEC support for Active Directory–integrated DNS scenarios, including DNS dynamic updates in DNSSEC signed zones, automated trust-anchor distribution through Active Directory, automated trust-anchor rollover support per RFC 5011, and validation of records signed with updated DNSSEC standards (NSEC3, RSA/SHA-2). An updated user interface with deployment and management wizards is also included, as well as full Windows PowerShell support for configuring and managing DNSSE. However, the DNS client in Windows 8 and Windows Server 2012 is still DNSSEC-aware but nonvalidating, which means IPsec should still be used to secure the network connecting the client to its local DNS server.

Other -----------------
- Windows Server 2012 : Ensuring DHCP availability (part 3) - Managing DHCP failover
- Windows Server 2012 : Ensuring DHCP availability (part 2) - Implementing DHCP failover
- Windows Server 2012 : Ensuring DHCP availability (part 1) - Previous approaches to implementing DHCP availability
- Sharepoint 2013 : Managing Security - See Who Is a Member of a SharePoint Group
- Sharepoint 2013 : Managing Security - Grant Permissions to a File or List Item
- Sharepoint 2013 : Managing Security - See What Permissions Are Set (part 2) - Read the Permissions Page, Check the Permissions for a Specific User or Group
- Sharepoint 2013 : Managing Security - See What Permissions Are Set (part 1) - Check Permissions on Files and List Items
- Microsoft Exchange Server 2010 : Creating and Managing Accepted Domains (part 3) - Changing the Accepted Domain Type and Identifier , Removing Accepted Domains
- Microsoft Exchange Server 2010 : Creating and Managing Accepted Domains (part 2) - Creating Accepted Domains
- Microsoft Exchange Server 2010 : Creating and Managing Accepted Domains (part 1) - Viewing Accepted Domains
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server