Windows DNS Security Overview
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Upgrade your plan to get instant access to this and many more premium courses. Click the Upgrade Plan button below to get started.
The Windows DNS Security Overview
Save the world with DNSSEC. Perhaps a little dramatic.
But consider this. Info World and Computerworld blamed a recent major Distributed Denial of Service or DDOs attack that affected thousands of servers, computers and users on poorly configured DNSSEC servers for the outage.
And in this article, a leader in the DNS community warn us of the perils of not updating our servers and not using DNS Security.
What is DNSSEC - Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated
Why do we need to worry about deploying DNSSEC? (Domain Name Security
Extensions). Because DNS does not offer any form of security, it is vulnerable to spoofing, man-in-the-middle, and cache poisoning attacks. Attacks of this kind can compromise all future communications to the host. For this reason, it has become critical to develop a means for securing DNS.
DNSSEC fixes Cache poisoning, which is a long standing potentially crippling vulnerability in the Domain Name System - Cache Poisoning is inducing a name server to cache bogus resource records. Those records might map the domain name of a popular website -- say, www.amazon.com -- to the IP address of a Web server under the control of thieving hackers. That Web server may serve content that's indistinguishable from Amazon’s real content; in fact, the Web server may just proxy content from the real www.amazon.com. Unsuspecting users may enter valuable information at the impostor’s website, where it's recorded and used to break in to those users' accounts, running up charges, and so on.
Here is a very simple illustration of cache poisoning.
The victim sends out a query to the local DNS server for the popular website www.amazon.com. The query from the victim is either observed or predicted by the bad guy. The attacker then beats the name server to a response sending corrupt DNS data to the server’s cache and the victim is sent to a malicious website.
How does Microsoft DNSSec address cache poisoning?
Basically, DNSSec addresses cache poisoning by allowing the administrators of DNS zones to digitally sign their zone data, in this way DNS servers and resolvers create a chain of trust which enables them to trust the DNS responses by using digital signatures for validation.
This illustration should clarify how Windows DNSSEC addresses Cache Poisoning.
A user types Usoft.com into their computers browser. The request goes to the Local DNS server which does not have the Domain Name or IPaddress for Usoft in its local cache so it passes the request on to the next DNS server. The ISP DNS server can’t help either so it passes the request onto the root server which is a DNSSEC enabled server. The root hints server (also known as a trust anchor) or starting point contains a key that is used to create digital signatures for DNS data that is passed between servers or the client.
The root server doesn’t have the IPaddress or the host name for usoft.com but because the request is for a .com, the root DNS server sends the request to the .com server which is a DNSSEC enabled server. The .com server looks in its cache and in this case, is able to find www.Usoft.com and sends the request to the Usoft.com DNSSEC enabled DNS server. Which sends the IPaddress for www.Usoft.com to the local user.
Server Academy Members Only
Want to access this lesson? Just sign up for a free Server Academy account and you'll be on your way. Already have an account? Click the Sign Up Free button to get started..