DNS Security Techniques Overview
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Upgrade your plan to get instant access to this and many more premium courses. Click the Upgrade Plan button below to get started.
In this lecture were going to demonstrate several security techniques that can be implemented in Windows server 2016.
DANE (DNS Based Authentication of Named Entities)
- The first technique is DANE. Basically, DANE tells a client who to expect a Certificate from. That client or server will only accept a certificate from a designated source. We’ll demonstrate how DANE works in a minute.
- First, let’s clear up some terminology. DANE helps to prevent MIMA
What is a Man-in-the-middle attack? A mitm attack happens when communication between two systems is intercepted by an outside entity.
- What is a TLSA record? TLSA stands for (Transport Layer Security Authentication)
This record contains the Port number that the TLS server communicates on
The Server Host Name of the TLS server
And the Port number that the TLS server listens on.
- How does DANE work?
Client requests the IP address of google.com from sa.com sa.com responds by informing the client to expect a certificate from https://www.ca.com
At that point the DNS server sends 184.108.40.206 the IP address for Google.com to the client.
A Typical example of a man-in-the-middle attack Client requests a record
sa.com responds by informing the client to expect a cert from https://www.ca.com Attacker attempts to get client or the server to accept cert from another CA called https://www.carip.com
In this case the server refuses the certificate and flags it as an invalid certificate. The MITM attack fails.
DNS Cache Locking
DNS Cache Locking is one of the methods that protects from DNS cache poisoning.
So, what is DNS Cache Poisoning?
- It is the act of placing false information in a DNS Servers cache.
- DNS cache locking uses the Time to Live (amount of time a record stays in cache)
- By default, TTL set to 24 hours
- Malicious user cannot update record until TTL is exhausted.
Here’s how DNS Cache Locking Works
- When a DNS client sends a request to a recursive DNS server the server caches the result so that it can respond more quickly to other DNS clients querying the same information.
- Another server down the line may have an update to that record and this server may want to update the cache.
- The amount of time that a record resides in the cache is based upon the TTL (time to live value of the record.
Malicious user attack
A malicious user tries to update a record directing users to a malicious site called https://www.carip.com.
Because the TTL is set to 24 hours that record cannot be updated for 24 hours. Because the malicious user tried to update that record before the TTL was exhausted the update failed.
DNS Socket Pool
- The reply-back DNS server (I’ll explain that in a minute) selects a source port from a pool of ports
- When a DNS goes out to the internet and does recursive queries. The server that is replying back instead of using a predictable port must use a random port number.
- Avoids using well known ports
- Avoids Cache tampering
Here’s how the DNS Socket Pool Works
Client uses port 53 to connect to the DNS server, now the DNS server is using port 53 to connect to another DNS server on the internet to complete the query.
The question is what port is the server using, that replies back to the client?
And the answers is, it varies. Instead of using a predictable source port the incoming DNS server uses a random port# that it selects from the DNS socket pool.
Server Academy Members Only
Want to access this lesson? Just sign up for a free Server Academy account and you'll be on your way. Already have an account? Click the Sign Up Free button to get started..