Code Exploit Cyber Security: Implementing DNS in Windows Server 2016

The Domain Name System (DNS) is arguably one of the most important components of a computer network and internet infrastructure. DNS unavailability presents all sorts of problems related to finding resources on an internal network as well as external internet resources, acting like a phone book to translate familiar names such as www.google.co.uk to the IP address 8.8.8.8 and vice versa.

The function of DNS servers saves us humans from remembering IP addresses of our favourite sites, translating the names we type into corresponding IP addresses using cache tables. DNS can be described as a hierarchical, distributed database with delegated authority.

This delegated authority means the network administrator is responsible for ensuring internet users can look up an IP address associated with your domain. Some organisations allow their ISPs to manage their DNS for them which could be risky in case of configuration error or system failure which could result in organisations’ resources going offline.

There are 3 main components associated with DNS which will be highlighted below;

1. DNS Servers – These are machines that host DNS databases. Eg Google or Yahoo DNS servers

2. DNS Database – A list of names and corresponding IP addresses to resources on a network or internet.

3. DNS Clients – These are client machines that need to perform name resolution tasks in a network. They will query the server acting as DNS for an address or name resolution.

Knowing your DNS Terminologies

Be aware this lesson will be detailed and lengthy, because a good grasp of the concept of DNS implementation is vital to network administrators for troubleshooting DNS failure. Let’s dig in;

1. A Fully Qualified Domain Name – Sometimes referred to as an absolute domain name, FQDN is a name that specifies its exact location in the DNS hierarchy tree. All domain levels including top-level and root zone, distinguishing it by its lack of ambiguity; it can only be expressed or interpreted in one way only.

Example. A device with hostname svrhost in a parent domain example.com has a fully qualified domain name svrhost.example.com The FQDN uniquely distinguishes the device from any other hosts called svrhost in any other domains.

Many DNS resolvers treat domain names that contain a dot in any position as fully qualified or simply add the final dot required for the root of the domain tree.

2. A Domain Name – This is everything but the unqualified hostname. Using our example above, example.com is a domain with .com as the top level.

3. A Caching Nameserver – These are responsible for storing the results of previous DNS queries for an IP address. Client computers will check the cache of the local DNS server first before going out to the internet to query external DNS like Google’s 8.8.8.8 or 8.8.4.4

4. An Authoritative Nameserver – This is a server designated by the proper authority to provide name mapping for a particular domain. The proper authority for making this determination may vary depending on the hierarchy the server is located.

5. A Recursive Nameserver – This type of DNS server will transverse the entire hierarchical name space to resolve a query.

Bear in mind that a nameserver can have a combination of authoritative, caching and recursive characteristics. An authoritative server that provides external address mapping would usually not allow recursive queries from the outside world. Authoritative servers providing internal address mapping are often caching and recursive.

DNS Lookup Client

Applications perform DNS lookups with the aid of library call functions in the DLL, which in turn handle all communications with DNS servers over UDP and TCP, returning the final results of the lookups back to the application.

Microsoft’s DNS client also provides optional support for local caching, known as DNSCACHE in the form of a DNS Client Service. Before direct communications with DNS servers are established, the library routines attempt to make a local IPC connection to the DNS Client Service on the machine. If no records are found and one can be made, they handover the actual work of dealing with the lookup over the DNS Client Service. The service itself then communicates with the DNS servers and caches the results it receives.

The DNS Client is able to talk to multiple DNS servers with an algorithm that varies depending on the version and service pack level of the operating system. Communication is switched over to alternative DNS servers if the local server fails to respond.

Dynamic DNS Update Client

DNS updates writes DNS data as opposed to DNS lookup that reads data. Workstations and servers running Windows can attempt to send Dynamic DNS update requests to DNS servers.

Workstations connected to a local DNS server attempts to register their names and IP addresses, making them discoverable by other machines by name. Prior to Windows Server 2008 and Windows Vista, this task was handled by the DHCP Client Service, thus this service must be running in order to dynamically register a computer’s name and address whenever there is a change in system configuration. This can be achieved manually by system administrator or automatically by granting or revocation of a DHCP lease.

Microsoft Windows DNS Server

Microsoft Windows Server operating systems can run the DNS Server service, a monolithic DNS server that provides many types of DNS service such as Dynamic DNS update, DNS Caching, DNS notification and Zone Transfer. DNS notification is implemented using a push mechanism that notifies a select set of secondary servers for a zone when a record has been updated.

Microsoft’s DNS Server service was introduced in Windows NT 3.51 as an add-on with Microsoft’s collection of BackOffice services, which at the time was marked for testing purposes only. The technology however became notorious for incompatibility with BIND configuration files, particularly by lacking support for DNS wildcards and differing in its IPv6 implementation.

Since its introduction, Microsoft has worked hard to improve interoperability with BIND and other implementations like zone file format, zone transfer and other DNS protocols. This made Microsoft DNS the most popular as of 2004 counting BIND version 9 separately from version 8 and 4, for the publication of DNS data.

Microsoft DNS servers support different database back ends. DNS data can be stored on Master Files or Zone Files or in the Active Directory database itself. If Active Directory rather than the DNS server is used, the database can be modified with addition or removal of zones, causing an immediate replication propagation to all other DNS servers within the appropriate Active Directory “replication scope”.

Contrasting this automatic replication with BIND, where if any changes are made, the list of zones in the /etc/named.conf file will have to be explicitly updated on each individual server.

Microsoft DNS server infrastructure can be administered using the “DNS Management Console”, a graphical user interface or a command line interface called the dnscmd utility. Windows Server 2012 features a fully-fledged PowerShell utility for DNS server management.

Common DNS Server Issues

You will notice fairly quickly when the DNS server fails on your network, with multiple workstations including exchange server being inaccessible. You may experience problems pinging client computers inside a domain and struggle to reach any internet resource from outside the organisation.

Before the introduction of Windows Server 2003 Service Pack 3, the most common problem DNS servers encounter is Cache Pollution. Although there is a mechanism for properly handling DNS cache pollution, this feature is usually turned off by default. A DNS problem emerged with Windows Server 2003 versions causing a large number of firewalls to malfunction when configured to use EDNS0.

If you suspect a DNS failure on your network, a great first troubleshooting step is to launch cmd and run the command ipconfig /flushdns on the local DNS cache.

You will know it works when you see the Windows IP configuration successfully flushed the DNS Resolver Cache or Successfully flushed the DNS Resolver Cache message.

New DNS Update Changes Introduced in Windows Server 2016

When Microsoft released the new Windows Server 2016 operating system, computer engineers across the globe were excited to see the new bundled features. Below are a list of 6 new features introduced to the DNS server system when Windows Server 2016 was launched in September 26, 2016.

1. Response Rate Limiting (RRL) – This new feature is used to extenuate the DNS amplification attacks against a local DNS server. Computer hackers can forge the IP address of a victim network and sends a lot of queries to the local DNS server, prompting multiple response from the local DNS server to multiple attack DNS servers. This type of attack causes the network to choke and eventually collapse in an exploit known as DDoS attacks.

Windows Server 2016 DNS server introduced Response Rate Limiting to prevent abuse of the target DNS Server. Once RRL is enabled, Windows DNS servers will first cache the request, check for potential malicious activity originating from a single source IP address, limit and suspend the number of similar responses the DNS server sends to clients from the same subnet. There is an option to respond back with truncation, ensuring genuine clients revert back on TCP, where the protocol ensures legitimacy of client via its three-way handshake.

2. DNS Policies – This feature gives you control over configuring how your DNS server handles queries based on DNS Policies. Scenarios such as Recursion, Query Resolution, Zone Transfer and Traffic Management can be implemented.

3. IPv6 Root Hints – Installing DNS will automatically populate IPv6 Root Hints list in Windows Server 2016, without the need to manually update the 13 root name servers operated by 12 independent organizations.

4. DNS Based Authentication of Named Entities (DANE) – Defined in RFC 6698 DANE prevents man in the middle attacks on your DNS server by using TLSA (Transport Layer Security Authentication) records to notify the DNS clients what Certificate Authority they should expect a certificate from for your AD DS structure.

5. Extended Windows PowerShell Support – Just like the operating systems before, Windows Server 2016 comes with new PowerShell cmdlets.

6. Unknown Record Support – Some DNS servers have records that are not directly supported by Microsoft DNS server. Records that are not explicitly supported can now be added.

Examining the DNS Domain Namespace Hierarchy

Figure 1: Depicting different DNS levels in the hierarchy

The diagram above in Figure 1 represents the hierarchy structure in DNS domain namespace. To achieve this illustration yourself, Microsoft has a program called Visio Pro that gives you a range of drawing and shaping tools to illustrate network topologies.

We shall now discuss some DNS concepts to get a better understanding of how the system works with all sub-levels to give us the Fully Qualified Domain Name (FQDN).

All DNS names start with a dot which is the root domain and located on the rightmost side of the whole namespace. Remember that with DNS, we read addresses from right to left instead of left to right way we read everything else by nature. The dot is actually hidden so for a FQDN, the dot is assumed to be there so we don’t have to type that in.

The top-level domain will include popular names like .Net, .Com, .Co.UK, .Org etc. which then translates to the secondary –level domain which we create on our local server, in the example above will be ESXiOneLab.Local.

Multiple sub-domains can be created to identify locations such as America, UK, Asia, HQ etc. Having a host serverA in Marketing subdomain will have a FQDN: ServerA.Marketing.HQ.ESXiOneLab.Com

What is a DNS Query?

This is a request for name resolution directed at a DNS server by a client machine in the network.

Types of DNS Queries?

Two types of DNS queries exist;

-Iterative – In this type of query, the DNS server attempts to resolve the request based on what information is currently possesses.

-Recursive – This type of query attempts to resolve the request based on what information it has in its record, but will go further to research the intended address and give you an answer when it gets one from other DNS servers.

DNS servers can be either Authoritative which means they will resolve your query or say ‘No’, or non-authoritative which uses the DNS cache or forwarders which may be authoritative.

DNS Forwarders

These are simply DNS servers to which other DNS servers forward their queries for an address resolution.

Types of DNS Forwarders

Two main types of DNS forwarders exist;

Standard - are set to check their table and respond if they have an answer or forward to other DNS servers for a resolution.

Conditional – are set to check their table for a response and if not found, forward the request to a specific DNS server for a resolution.

When a client computer sends a request for resolution of ESXiOneLab.Com for example, to a local DNS server, a recursive query is sent and when an answer cannot be found, the local DNS sends another recursive query to a Forward DNS server.

Once received, the server sends an iterative query to the various Root DNS server, .Com DNS server and the DNS server actually carrying the record of ESXiOneLab.Com. The IP addresses is then acquired and sent back to the local DNS server where the client computer that requested it can now access the resources on that domain like a webpage.

Conditional forwarding differs from standard in the sense that, when the client computer sends the request, a forward DNS server already configured on the local server with the IP address of ESXiOneLab.Com will be sent this request for resolution.

DNS Zones

A zone is an area of DNS namespace for which the DNS server is authoritative over. There are a few types of DNS zones;

1. A Primary DNS Zone- contains a master copy of the database and has permission to read and write.

2. A Secondary DNS Zone- contains a read only copy of the database and serves as a look up table which cannot be updated.

3. Stub DNS Zone- DNS allows for delegations where another DNS server can be delegated the authority over a sub-domain. Stub zones function by allowing automatic propagation of delegations to DNS servers.

4. Forward Lookup Zone- This takes the queried name and resolves it into the corresponding IP address.

5. Reverse Lookup Zone- Does the opposite by resolving the IP address into the corresponding name of the target computer or resource.

6. Dynamic Updates- This enables a DNS server to automatically update its cache with new information about any client computer joining the network becomes available. This information used to manually be updated system administrators.

7. Active Directory Integrated- This is comes as part of the DNS server role installation in Active Directory Domain Services. The database files are not stored on a server but stored and replicated instantly as part of the Active Directory database.

Advantages of Active Directory Integrated DNS Zones

Implementing Active Directory Integrated zones comes with some benefits since the database is stored and replicated with Active Directory database itself. Below are some implementation advantages;

-Multimaster Replication

-Streamline Data Replication

-Backwards compatible to Secondary Zones

-Secure Dynamic Updates – only applies to clients joined to the domain

DNS Records

DNS records are stored in the database and used for different purposes;

-A (Host) – Host record is the most basic forward look up record. AAAA records are used in IPv6

-PTR (Pointer) – Reverse look up record of IP addresses into names

-SOA (Start of Authority) – Holds authority over a DNS zone

-SRV (Service Locator) - This helps point clients on a domain to a service such as domain controllers

-NS (Name Server) – The names of other DNS servers

-MX (Mail Exchanger) - Points to an email server namespace record

-CNAME (Alias) – Known as canonical name record or alias for a resource such as a web server

DNS Zone Transfers

These were used in Standard Zones and how information is transferred from Primary master read-write copy of the database to a Secondary read-only copy. Two types exist known as AXFR (Full Transfer) and IXFR (Incremental Transfer). Zone transfers are not used in Active Directory Integrated Zones.

Be aware that Zone Transfers pose a serious security risk, exploited by hackers in an attack where a transfer is sent to secondary DNS zones or server with malicious information.

Installing and Configuring DNS in Windows Server 2016

Once you have installed and activated Windows 2016. DNS can be installed as part of a role when you install Active Directory Domain Services (AD DS). You can go back to the procedure in our previous lesson, Installingand Configuring Windows Server 2012 if you are not familiar with this set up.

After your installation is complete and you have promoted the server to a domain controller, there are a few tasks required to configure your domain using a new forest if it’s the only DNS server available.

1. As industry practice, you can make some changes to your network card by accessing Control Panel > Network and Sharing Center > Change Adapter Settings > Right Click for the Properties of that card. Select the IPv4 settings and click properties. If you haven’t already done so, set the IP address of the DC as static.

Since our domain controller also now acts as our local DNS server, specify the same IP address in the preferred DNS section as shown below. This ensure any queries are directed to this local DNS first before attempting to send the request to other external DNS servers for resolution.

2. If your domain creation was successful, the server will reboot and give you the option to log into the domain account. Our lab here will be using HyperVOneLab.Local and DC IP address 192.168.0.25 throughout this demonstration. Remember you can choose any private IP range for your network.

Click Start > Administrative Tools > Launch DNS Manager.

Notice the newly promoted DC/DNS server name appear at the top with Forward Lookup Zones, Reverse Lookup Zones, Trust Points, Conditional Forwarders, Root Hints and Forwarders objects in the DNS tree.

3. Right Click the server and familiarise yourself with the options available. Select Properties.

4. The Interfaces tab is where you can select the IP addresses that will serve DNS requests. You can limit the IP address your DNS server listens on or set it to listen on All IP addresses.

5. The next tab is DNS Forwarders which contains a list of other DNS servers capable of resolving client requests in the event your local DNS has no record of the resource query. In this example we can input the external Google DNS servers 8.8.8.8 and 8.8.4.4 Tick Use root hints if no forwarders are available and click Apply.

6. The Advanced tab shows the server version number as well as server options. The option to load zone data on start is set by default to load from Active Directory and registry. Settings for scavenging stale DNS records can also be set in this window.

7. Root hints tab contains a list of Name servers which are used to resolve queries for zones that do not exist on the local DNS server. This action only happens if the forwarders are not configured or fail to respond.

8. The Debug Logging tab is disabled by default. You get the ability to record packets sent and received by the DNS server to a log file. The information could be useful for network security audit procedures.

9. Choose how you would like to log DNS events. All events logging is active by default. You can set your server to log errors and warnings or no events at all which is not recommended from a security view point.

10. Microsoft DNS lets you verify the configuration of the server by performing manual or automatic testing. A simple query against the DNS server or recursive query can be tested in this tab.

11. The last Security tab lets you assign read/write and full control permissions to the domain administrators. Inspect and ensure no unauthorized accounts have control over this zone.

12. Expand the Forward Lookup Zone and select YourDomain.Local to display the details in that database. Notice your server IP address listed against Host (A) with a corresponding IPv6 address against the (AAAA) zone file type.

13. Right click the Primary local zone and select properties. New DNS zone file records like MX, CNAME, DNSSEC options and Aliases can be created here.

14. Let’s explore the properties of the local DNS looking at the General tab. The status, Active Directory Integrated DNS type and replication can be viewed here along with the setting for Dynamic updates.

15. Start of Authority tab shows your DC/DNS which now holds authority over the domain.

16. The Name Servers tab shows the server Fully Qualified Domain Name and corresponding IP address which can communicate with this domain. This could be important when creating a secondary DNS zone on another DNS server as a read only copy to replicate the records from the Primary zone.

17. As we discussed earlier, the Zone Transfer tab allows you to specify whether your local DNS server transfers a copy of the zone to servers that request for it. For security reasons, set this Only servers listed in the Name Servers tab.

18. A network administrator may want to create a secondary DNS server essentially acting as a read-only copy of the Primary. To do this, right lick and select New Zone on the second server and run through the set up wizard.

19. The next screen gives you the option to select the zone type; Secondary selected in this case creates a copy of the zone that exists on another server, our Primary server. This configuration helps balance the processing load of primary servers and provides fault tolerance if DNS fails to respond.

20. Select whether you prefer this server to perform forward or reverse lookups.

21. Give the new DNS zone a name and finish to create the secondary DNS zone.

22. To test your DNS configuration has been successful. Open the network settings and notice the Ethernet status now shows YourDomain.Local

Final Thoughts

This article is intended as a guide to explaining the basic concepts and configuration of a local DNS server. Try pinging the domain controller from another machine on the network or spin up an Exchange virtual machine instance and try to join the new domain.

Bear in mind DNS is a very broad topic with advanced concepts to learn once the network topologies start to increase in complexity.

Do leave some comments on other ways to perform this task to help other students learn more.

Thank you for investing your time with us.