0/1 Lessons

Course Introduction

• 10min

0 / 2 lessons complete

DNS Basics

• 1hr 16min

0 / 8 lessons complete

DNS Resource Records

• 46min

0 / 5 lessons complete

DNS Zones

• 3hr 41min

0 / 12 lessons complete

DNS Delegation

• 50min

0 / 4 lessons complete

DNS Security Techniques

• 36min

0 / 5 lessons complete

Advanced DNS Topics

• 22min

0 / 5 lessons complete

DNS Security (DNSSEC)

• 1hr 16min

0 / 6 lessons complete

DNS Policies

• 54min

0 / 6 lessons complete

PowerShell for DNS

• 1hr 27min

0 / 6 lessons complete

Troubleshooting DNS Issues - Troubleshooting Tools

• 1hr 39min

0 / 8 lessons complete

Windows DNS Security Overview


Q&A (0)

Notes (0)

Resources (0)

Saving Progress...


There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

The Windows DNS Security Overview 

Save the world with DNSSEC. Perhaps a little dramatic.

But consider this. Info World and Computerworld blamed a recent major Distributed Denial of Service or DDOs attack that affected thousands of servers, computers and users on poorly configured DNSSEC servers for the outage.    

And in this article, a leader in the DNS community warn us of the perils of not updating our servers and not using DNS Security.  

What is DNSSEC - Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated

Why do we need to worry about deploying DNSSEC? (Domain Name Security

Extensions). Because DNS does not offer any form of security, it is vulnerable to spoofing, man-in-the-middle, and cache poisoning attacks. Attacks of this kind can compromise all future communications to the host. For this reason, it has become critical to develop a means for securing DNS.

DNSSEC fixes Cache poisoning, which is a long standing potentially crippling vulnerability in the Domain Name System - Cache Poisoning is inducing a name server to cache bogus resource records. Those records might map the domain name of a popular website -- say, www.amazon.com -- to the IP address of a Web server under the control of thieving hackers. That Web server may serve content that's indistinguishable from Amazon’s real content; in fact, the Web server may just proxy content from the real www.amazon.com. Unsuspecting users may enter valuable information at the impostor’s website, where it's recorded and used to break in to those users' accounts, running up charges, and so on.

Here is a very simple illustration of cache poisoning.

The victim sends out a query to the local DNS server for the popular website www.amazon.com. The query from the victim is either observed or predicted by the bad guy. The attacker then beats the name server to a response sending corrupt DNS data to the server’s cache and the victim is sent to a malicious website.  

How does Microsoft DNSSec address cache poisoning?

Basically, DNSSec addresses cache poisoning by allowing the administrators of DNS zones to digitally sign their zone data, in this way DNS servers and resolvers create a chain of trust which enables them to trust the DNS responses by using digital signatures for validation.

This illustration should clarify how Windows DNSSEC addresses Cache Poisoning.  

A user types Usoft.com into their computers browser. The request goes to the Local DNS server which does not have the Domain Name or IPaddress for Usoft in its local cache so it passes the request on to the next DNS server. The ISP DNS server can’t help either so it passes the request onto the root server which is a DNSSEC enabled server. The root hints server (also known as a trust anchor) or starting point contains a key that is used to create digital signatures for DNS data that is passed between servers or the client.

The root server doesn’t have the IPaddress or the host name for usoft.com but because the request is for a .com, the root DNS server sends the request to the .com server which is a DNSSEC enabled server. The .com server looks in its cache and in this case, is able to find www.Usoft.com and sends the request to the Usoft.com DNSSEC enabled DNS server. Which sends the IPaddress for www.Usoft.com to the local user.

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Notify of
profile avatar
Inline Feedbacks
View all comments