SlideShare une entreprise Scribd logo

DNS - MCSE 2019

M
Milad Es'Haghi

Summary of DNS server - New feature of DNS server in MCSE 2016-2019

Internet
1  sur  48
Télécharger pour lire hors ligne
1 Milad Es’Haghi DNS Day – 6/12/2019 Theways.ir/GAM Academi
2
• The Cold War was on, the USA was investing a lot in defense and technology. In 1958, under the president Eisenhower, ARPA (Advanced Research Projects Agency) started. • The idea of packet switching was presented, and there was a project to connect the Q-32 to the TX-2 computer (MIT’s computer) under the management of Larry Roberts. Later in 1966, the same guy published a paper on ARPANET – a packet switching network that uses TCP/IP protocol. It was like the Internet, but not scalable. It took some more years before it gets a reality. • During the 70s there was a fast growth in the numbers of computers in the world. There were different networks appearing and even some international projects too. There was a lot of development, and many different protocols and programs were created. The first commercial e-mail programs came in 1976. History 3
• Before, there was a centralized HOSTS.TXT text that was mapping the current sites. But, thanks to the growing number of sites, the file was getting bigger too, and there was a strong need for a decentralized model • The DNS was created in 1983 and became one of the original Internet Standards in 1986 (After the creation of the Internet Engineering Task Force IETF). The two documents that marked the start are RFC 1034 and RFC 1035. They describe the whole protocol functionality and include data types that it can carry. 4 The DNS has seen various upgrades during its life. The first major one was the introduction of the NOTIFY mechanisms and Incremental Zone Transfer IXFR. Now the servers were able to update dynamically. With the NOTIFY, the master server can “say” to the slave servers that it has an update that it must share. Before, the slaves needed to check periodically
NameResolutionOverview 5
6
Hostfileandclientresolvercache 7
DNSQueries: 8
DNSResourceRecord 9
DNSZones: 10
Zonetransfer: 11
DynamicUpdate: 12
ADIZones: 13
DNSSuffix 14
DNS&DHCPIntegration 15
AgingandScavenging 16
DNSRoundRobin&Subnetprioritization 17
18 GlobalNames zone
19
What'sNewinDNSServerinWindowsServer 20 DNS Policies Response Rate Limiting DANE support Unknown record support IPv6 root hints Windows PowerShell support
DNSPoliciesOverview 21 •Application Load Balancing. When you have deployed multiple instances of an application at different locations, you can use DNS policy to balance the traffic load between the different application instances, dynamically allocating the traffic load for the application. •Geo-Location Based Traffic Management. You can use DNS Policy to allow primary and secondary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.
22 Application Load Balancing
23 Split Brain DNS. With split-brain DNS, DNS records are split into different Zone Scopes on the same DNS server, and DNS clients receive a response based on whether the clients are internal or external clients. You can configure split-brain DNS for Active Directory integrated zones or for zones on standalone DNS servers.
24 Filtering. You can configure DNS policy to create query filters that are based on criteria that you supply. Query filters in DNS policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends the DNS query. Query filter criteria You can create query filters with any logical combination (AND/OR/NOT) of the following criteria.
• Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.77.0/24 - PassThru • Add-DnsServerQueryResolutionPolicy -Name "BlockListPolicyMalicious06" -Action IGNORE - ClientSubnet "EQ,MaliciousSubnet06" -PassThru ` 25 Example : Block queries from a subnet With this example, you can block queries from a subnet if it is found to be infected by some malware and is trying to contact malicious sites using your DNS server.
Add-DnsServerQueryResolutionPolicy -Name "AllowListQType" -Action IGNORE -QType "A,AAAA,MX,NS,SOA" –ServerInterface “EQ,164.8.1.1” -PassThru 26 Allow only certain QTypes You can apply Allow Lists to QTYPEs. For example, if you have external customers querying DNS server interface 164.8.1.1, only certain QTYPEs are allowed to be queried, while there are other QTYPEs like SRV or TXT records which are used by internal servers for name resolution or for monitoring purposes. https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries
27 Forensics. You can use DNS policy to redirect malicious DNS clients to a non-existent IP address instead of directing them to the computer they are trying to reach. Network Forensics with Windows DNS Analytical Logging
Time of day based redirection. You can use DNS policy to distribute application traffic across different geographically distributed instances of an application by using DNS policies that are based on the time of day. 28
29 Use DNS Policy for Application Load Balancing Sample Code: You can use the following Windows PowerShell commands to create zone scopes. Add-DnsServerZoneScope -ZoneName “Theways.ir" -Name “HQ ZoneScope“ Add-DnsServerZoneScope -ZoneName " Theways.ir " -Name “BR1 ZoneScope" Add-DnsServerZoneScope -ZoneName " Theways.ir" -Name “Br2 ZoneScope" Step 1: Step 2: In HQ ZoneScope, you can add the record www.theways.ir with IP address 192.0.0.1, which is located in the HQ datacenter. In BR1 ZoneScope, you can add the same record ( www.theways.ir) with IP address 177.0.0.1 in the BR1 datacenter. Similarly in BR2 ZoneScope, you can add a record ( www.theways.ir) with IP address 77.0.0.1 in the BR2
You can use the following Windows PowerShell commands to create a DNS policy that balances application traffic across these three datacenters. 30 You can use the following Windows PowerShell commands to add records to the zone scopes. Add-DnsServerResourceRecord -ZoneName “Theways.ir" -A -Name "www" -IPv4Address "192.0.0.1" - ZoneScope “HQ ZoneScope Step3 : Create the DNS Policies Add-DnsServerQueryResolutionPolicy -Name “ALB Policy" -Action ALLOW -ZoneScope “HQ ZoneScope,2 ;BR1 ZoneScope,1 ;BR2 ZoneScope,1" -ZoneName “Theways.ir"
You can configure RRL settings to control how to respond to requests to a DNS client when your server receives several requests targeting the same client. By doing this, you can prevent someone from sending a Denial of Service (Dos) attack using your DNS servers 31 Response Rate Limiting
32 For instance, a bot net can send requests to your DNS server using the IP address of a third computer as the requestor. Without RRL, your DNS servers might respond to all the requests, flooding the third computer. When you use RRL, you can configure the following settings:
• Responses per second. This is the maximum number of times the same response will be given to a client within one second. • Errors per second. This is the maximum number of times an error response will be sent to the same client within one second. • Window. This is the number of seconds for which responses to a client will be suspended if too many requests are made. • Leak rate. This is how frequently the DNS server will respond to a query during the time responses are suspended. For instance, if the server suspends responses to a client for 10 seconds, and the leak rate is 5, the server will still respond to one query for every 5 queries sent. This allows the legitimate clients to get responses even when the DNS server is applying response rate limiting on their subnet or FQDN. 33 When you use RRL, you can configure the following settings :
34 TC rate. This is used to tell the client to try connecting with TCP when responses to the client are suspended. For instance, if the TC rate is 3, and the server suspends responses to a given client, the server will issue a request for TCP connection for every 3 queries received. Make sure the value for TC rate is lower than the leak rate, to give the client the option to connect via TCP before leaking responses Maximum responses. This is the maximum number of responses the server will issue to a client while responses are suspended. White list domains. This is a list of domains to be excluded from RRL settings. White list subnets. This is a list of subnets to be excluded from RRL settings. White list server interfaces. This is a list of DNS server interfaces to be excluded from RRL settings.
35 DANE support You can use DANE support (RFC 6394 and 6698) to specify to your DNS clients what CA they should expect certificates to be issued from for domains names hosted in your DNS server. This prevents a form of man-in-the-middle attack where someone is able to corrupt a DNS cache and point a DNS name to their own IP address.
36 For instance, imagine you host a secure website that uses SSL at www.Theways.ir by using a certificate from a well-known authority named CA1. Someone might still be able to get a certificate for www.Theways.ir from a different, not-so-well-known, certificate authority named CA2. Then, the entity hosting the fake www.Theways.ir website might be able to corrupt the DNS cache of a client or server to point www.Theways.ir to their fake site. The end user will be presented a certificate from CA2, and may simply acknowledge it and connect to the fake site. With DANE, the client would make a request to the DNS server for contoso.com asking for the TLSA record and learn that the certificate for www.Theways.ir was issues by CA1. If presented with a certificate from another CA, the connection is aborted.
Unknownrecordsupport 37 An "Unknown Record" is an RR whose RDATA format is not known to the DNS server. The newly added support for unknown record (RFC 3597) types means that you can add the unsupported record types into the Windows DNS server zones in the binary on-wire format. The windows caching resolver already has the ability to process unknown record types.
38 IPv6 root hints The IPV6 root hints, as published by IANA, have been added to the windows DNS server. The internet name queries can now use IPv6 root servers for performing name resolutions.
39 list of the DNS root servers Where are the DNS root servers located? There are hundreds of root servers at over 130 locations all over the world. ICANN² is responsible for the servers for one of the 13 IP addresses and entrusts the operation of the rest to various other organizations. In total,there are 12 organizations held responsible, with VeriSign operating two of them³.
40 Windows PowerShell support
41
DNSAttacks 42
43 https://securitytrails.com/blog/most-popular-types-dns-attacks
44 How to protect from DNS spoofing? Always use a secure connection. Use encryption via SSL or TLS to verify the certificate of the website you want to visit. Use DNSSEC – Domain Name System Security Extensions checks the data authenticity with digitally signed DNS records.
45 What is DNSSEC? Beginning in 1993, the IETF started thinking about ways to make the DNS system more robust and secure. And one of the proposed ways to harden the DNS system was to use DNSSEC. DNSSEC (Domain Name System Security Extensions) was introduced more than ten years later in 2005 as a new way to improve DNS security. The DNS protocol is vulnerable to attack due to an inherent lack of authentication and integrity checking of data that is exchanged between DNS servers or provided to DNS clients. DNSSEC adds security to DNS responses by providing the ability for DNS servers to validate DNS responses. With DNSSEC, resource records are accompanied by digital signatures. These digital signatures are generated when DNSSEC is applied to a DNS zone using a process called zone signing. When a resolver issues a DNS query for resource record in a signed zone, a digital signature is returned with the response so that validation can be performed. If validation is successful, this proves that the data has not been modified or tampered with in any way
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/ 46 DNS SEC Validation Rate by Country
Summary 47
THANKYOU GAM Academy 09128986118 www.theways.ir t.me/EnterpriseAdmins 48

Recommandé

Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD ExtentionsNina Buchina
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 

Recommandé

Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD ExtentionsNina Buchina
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS SecurityNihal Pasham, CISSP
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Bangladesh Network Operators Group
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3DNS Entrepreneurship Center
 
A Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionA Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionYuuki Takano
 
Content Navigation
Content NavigationContent Navigation
Content Navigationsanjoysanyal
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECDeploy360 Programme (Internet Society)
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 

Contenu connexe

Tendances

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
A Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionA Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionYuuki Takano
 
Content Navigation
Content NavigationContent Navigation
Content Navigationsanjoysanyal
 

Tendances (20)

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Dnssec
DnssecDnssec
Dnssec
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
 
A Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionA Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server Version
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
 

Similaire à DNS - MCSE 2019

New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyCourtland Smith
 
Data Security Governanace and Consumer Cloud Storage
Data Security Governanace and Consumer Cloud StorageData Security Governanace and Consumer Cloud Storage
Data Security Governanace and Consumer Cloud StorageDaniel Rohan
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name CollisionICANN
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfsphanleson
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2phanleson
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Unit VI Overlays
Unit VI OverlaysUnit VI Overlays
Unit VI Overlayssangusajjan
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingRyan Furlough, BSCPE CPAS
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 

Similaire à DNS - MCSE 2019 (20)

ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
Data Security Governanace and Consumer Cloud Storage
Data Security Governanace and Consumer Cloud StorageData Security Governanace and Consumer Cloud Storage
Data Security Governanace and Consumer Cloud Storage
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
 
AWS Route53
AWS Route53AWS Route53
AWS Route53
 
Rhel4
Rhel4Rhel4
Rhel4
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Dns1111111111
Dns1111111111Dns1111111111
Dns1111111111
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Unit VI Overlays
Unit VI OverlaysUnit VI Overlays
Unit VI Overlays
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Introduction
IntroductionIntroduction
Introduction
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical Imaging
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 

DNS - MCSE 2019

  • 1. 1 Milad Es’Haghi DNS Day – 6/12/2019 Theways.ir/GAM Academi
  • 2. 2
  • 3. • The Cold War was on, the USA was investing a lot in defense and technology. In 1958, under the president Eisenhower, ARPA (Advanced Research Projects Agency) started. • The idea of packet switching was presented, and there was a project to connect the Q-32 to the TX-2 computer (MIT’s computer) under the management of Larry Roberts. Later in 1966, the same guy published a paper on ARPANET – a packet switching network that uses TCP/IP protocol. It was like the Internet, but not scalable. It took some more years before it gets a reality. • During the 70s there was a fast growth in the numbers of computers in the world. There were different networks appearing and even some international projects too. There was a lot of development, and many different protocols and programs were created. The first commercial e-mail programs came in 1976. History 3
  • 4. • Before, there was a centralized HOSTS.TXT text that was mapping the current sites. But, thanks to the growing number of sites, the file was getting bigger too, and there was a strong need for a decentralized model • The DNS was created in 1983 and became one of the original Internet Standards in 1986 (After the creation of the Internet Engineering Task Force IETF). The two documents that marked the start are RFC 1034 and RFC 1035. They describe the whole protocol functionality and include data types that it can carry. 4 The DNS has seen various upgrades during its life. The first major one was the introduction of the NOTIFY mechanisms and Incremental Zone Transfer IXFR. Now the servers were able to update dynamically. With the NOTIFY, the master server can “say” to the slave servers that it has an update that it must share. Before, the slaves needed to check periodically
  • 6. 6
  • 19. 19
  • 20. What'sNewinDNSServerinWindowsServer 20 DNS Policies Response Rate Limiting DANE support Unknown record support IPv6 root hints Windows PowerShell support
  • 21. DNSPoliciesOverview 21 •Application Load Balancing. When you have deployed multiple instances of an application at different locations, you can use DNS policy to balance the traffic load between the different application instances, dynamically allocating the traffic load for the application. •Geo-Location Based Traffic Management. You can use DNS Policy to allow primary and secondary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.
  • 23. 23 Split Brain DNS. With split-brain DNS, DNS records are split into different Zone Scopes on the same DNS server, and DNS clients receive a response based on whether the clients are internal or external clients. You can configure split-brain DNS for Active Directory integrated zones or for zones on standalone DNS servers.
  • 24. 24 Filtering. You can configure DNS policy to create query filters that are based on criteria that you supply. Query filters in DNS policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends the DNS query. Query filter criteria You can create query filters with any logical combination (AND/OR/NOT) of the following criteria.
  • 25. • Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.77.0/24 - PassThru • Add-DnsServerQueryResolutionPolicy -Name "BlockListPolicyMalicious06" -Action IGNORE - ClientSubnet "EQ,MaliciousSubnet06" -PassThru ` 25 Example : Block queries from a subnet With this example, you can block queries from a subnet if it is found to be infected by some malware and is trying to contact malicious sites using your DNS server.
  • 26. Add-DnsServerQueryResolutionPolicy -Name "AllowListQType" -Action IGNORE -QType "A,AAAA,MX,NS,SOA" –ServerInterface “EQ,164.8.1.1” -PassThru 26 Allow only certain QTypes You can apply Allow Lists to QTYPEs. For example, if you have external customers querying DNS server interface 164.8.1.1, only certain QTYPEs are allowed to be queried, while there are other QTYPEs like SRV or TXT records which are used by internal servers for name resolution or for monitoring purposes. https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries
  • 27. 27 Forensics. You can use DNS policy to redirect malicious DNS clients to a non-existent IP address instead of directing them to the computer they are trying to reach. Network Forensics with Windows DNS Analytical Logging
  • 28. Time of day based redirection. You can use DNS policy to distribute application traffic across different geographically distributed instances of an application by using DNS policies that are based on the time of day. 28
  • 29. 29 Use DNS Policy for Application Load Balancing Sample Code: You can use the following Windows PowerShell commands to create zone scopes. Add-DnsServerZoneScope -ZoneName “Theways.ir" -Name “HQ ZoneScope“ Add-DnsServerZoneScope -ZoneName " Theways.ir " -Name “BR1 ZoneScope" Add-DnsServerZoneScope -ZoneName " Theways.ir" -Name “Br2 ZoneScope" Step 1: Step 2: In HQ ZoneScope, you can add the record www.theways.ir with IP address 192.0.0.1, which is located in the HQ datacenter. In BR1 ZoneScope, you can add the same record ( www.theways.ir) with IP address 177.0.0.1 in the BR1 datacenter. Similarly in BR2 ZoneScope, you can add a record ( www.theways.ir) with IP address 77.0.0.1 in the BR2
  • 30. You can use the following Windows PowerShell commands to create a DNS policy that balances application traffic across these three datacenters. 30 You can use the following Windows PowerShell commands to add records to the zone scopes. Add-DnsServerResourceRecord -ZoneName “Theways.ir" -A -Name "www" -IPv4Address "192.0.0.1" - ZoneScope “HQ ZoneScope Step3 : Create the DNS Policies Add-DnsServerQueryResolutionPolicy -Name “ALB Policy" -Action ALLOW -ZoneScope “HQ ZoneScope,2 ;BR1 ZoneScope,1 ;BR2 ZoneScope,1" -ZoneName “Theways.ir"
  • 31. You can configure RRL settings to control how to respond to requests to a DNS client when your server receives several requests targeting the same client. By doing this, you can prevent someone from sending a Denial of Service (Dos) attack using your DNS servers 31 Response Rate Limiting
  • 32. 32 For instance, a bot net can send requests to your DNS server using the IP address of a third computer as the requestor. Without RRL, your DNS servers might respond to all the requests, flooding the third computer. When you use RRL, you can configure the following settings:
  • 33. • Responses per second. This is the maximum number of times the same response will be given to a client within one second. • Errors per second. This is the maximum number of times an error response will be sent to the same client within one second. • Window. This is the number of seconds for which responses to a client will be suspended if too many requests are made. • Leak rate. This is how frequently the DNS server will respond to a query during the time responses are suspended. For instance, if the server suspends responses to a client for 10 seconds, and the leak rate is 5, the server will still respond to one query for every 5 queries sent. This allows the legitimate clients to get responses even when the DNS server is applying response rate limiting on their subnet or FQDN. 33 When you use RRL, you can configure the following settings :
  • 34. 34 TC rate. This is used to tell the client to try connecting with TCP when responses to the client are suspended. For instance, if the TC rate is 3, and the server suspends responses to a given client, the server will issue a request for TCP connection for every 3 queries received. Make sure the value for TC rate is lower than the leak rate, to give the client the option to connect via TCP before leaking responses Maximum responses. This is the maximum number of responses the server will issue to a client while responses are suspended. White list domains. This is a list of domains to be excluded from RRL settings. White list subnets. This is a list of subnets to be excluded from RRL settings. White list server interfaces. This is a list of DNS server interfaces to be excluded from RRL settings.
  • 35. 35 DANE support You can use DANE support (RFC 6394 and 6698) to specify to your DNS clients what CA they should expect certificates to be issued from for domains names hosted in your DNS server. This prevents a form of man-in-the-middle attack where someone is able to corrupt a DNS cache and point a DNS name to their own IP address.
  • 36. 36 For instance, imagine you host a secure website that uses SSL at www.Theways.ir by using a certificate from a well-known authority named CA1. Someone might still be able to get a certificate for www.Theways.ir from a different, not-so-well-known, certificate authority named CA2. Then, the entity hosting the fake www.Theways.ir website might be able to corrupt the DNS cache of a client or server to point www.Theways.ir to their fake site. The end user will be presented a certificate from CA2, and may simply acknowledge it and connect to the fake site. With DANE, the client would make a request to the DNS server for contoso.com asking for the TLSA record and learn that the certificate for www.Theways.ir was issues by CA1. If presented with a certificate from another CA, the connection is aborted.
  • 37. Unknownrecordsupport 37 An "Unknown Record" is an RR whose RDATA format is not known to the DNS server. The newly added support for unknown record (RFC 3597) types means that you can add the unsupported record types into the Windows DNS server zones in the binary on-wire format. The windows caching resolver already has the ability to process unknown record types.
  • 38. 38 IPv6 root hints The IPV6 root hints, as published by IANA, have been added to the windows DNS server. The internet name queries can now use IPv6 root servers for performing name resolutions.
  • 39. 39 list of the DNS root servers Where are the DNS root servers located? There are hundreds of root servers at over 130 locations all over the world. ICANN² is responsible for the servers for one of the 13 IP addresses and entrusts the operation of the rest to various other organizations. In total,there are 12 organizations held responsible, with VeriSign operating two of them³.
  • 41. 41
  • 44. 44 How to protect from DNS spoofing? Always use a secure connection. Use encryption via SSL or TLS to verify the certificate of the website you want to visit. Use DNSSEC – Domain Name System Security Extensions checks the data authenticity with digitally signed DNS records.
  • 45. 45 What is DNSSEC? Beginning in 1993, the IETF started thinking about ways to make the DNS system more robust and secure. And one of the proposed ways to harden the DNS system was to use DNSSEC. DNSSEC (Domain Name System Security Extensions) was introduced more than ten years later in 2005 as a new way to improve DNS security. The DNS protocol is vulnerable to attack due to an inherent lack of authentication and integrity checking of data that is exchanged between DNS servers or provided to DNS clients. DNSSEC adds security to DNS responses by providing the ability for DNS servers to validate DNS responses. With DNSSEC, resource records are accompanied by digital signatures. These digital signatures are generated when DNSSEC is applied to a DNS zone using a process called zone signing. When a resolver issues a DNS query for resource record in a signed zone, a digital signature is returned with the response so that validation can be performed. If validation is successful, this proves that the data has not been modified or tampered with in any way