SlideShare a Scribd company logo
1
Milad Es’Haghi
DNS Day – 6/12/2019
Theways.ir/GAM Academi
2
• The Cold War was on, the USA was investing a lot in defense
and technology. In 1958, under the president Eisenhower,
ARPA (Advanced Research Projects Agency) started.
• The idea of packet switching was presented, and there was a
project to connect the Q-32 to the TX-2 computer (MIT’s
computer) under the management of Larry Roberts. Later in
1966, the same guy published a paper on ARPANET – a
packet switching network that uses TCP/IP protocol. It was
like the Internet, but not scalable. It took some more years
before it gets a reality.
• During the 70s there was a fast growth in the numbers of
computers in the world. There were different networks
appearing and even some international projects too. There
was a lot of development, and many different protocols and
programs were created. The first commercial e-mail
programs came in 1976.
History
3
• Before, there was a centralized HOSTS.TXT text that was
mapping the current sites. But, thanks to the growing
number of sites, the file was getting bigger too, and
there was a strong need for a decentralized model
• The DNS was created in 1983 and became one of the
original Internet Standards in 1986 (After the creation
of the Internet Engineering Task Force IETF). The two
documents that marked the start are RFC 1034 and RFC
1035. They describe the whole protocol functionality
and include data types that it can carry.
4
The DNS has seen various upgrades during its life. The first
major one was the introduction of the NOTIFY
mechanisms and Incremental Zone Transfer IXFR.
Now the servers were able to update dynamically. With the
NOTIFY, the master server can “say” to the slave servers
that it has an update that it must share. Before, the slaves
needed to check periodically
NameResolutionOverview
5
6
Hostfileandclientresolvercache
7
DNSQueries:
8
DNSResourceRecord
9
DNSZones:
10
Zonetransfer:
11
DynamicUpdate:
12
ADIZones:
13
DNSSuffix
14
DNS&DHCPIntegration
15
AgingandScavenging
16
DNSRoundRobin&Subnetprioritization
17
18
GlobalNames zone
19
What'sNewinDNSServerinWindowsServer
20
DNS Policies
Response Rate Limiting
DANE support
Unknown record support
IPv6 root hints
Windows PowerShell support
DNSPoliciesOverview
21
•Application Load Balancing. When you have deployed multiple instances of
an application at different locations, you can use DNS policy to balance the
traffic load between the different application instances, dynamically allocating
the traffic load for the application.
•Geo-Location Based Traffic Management. You can use DNS Policy to allow
primary and secondary DNS servers to respond to DNS client queries based on
the geographical location of both the client and the resource to which the
client is attempting to connect, providing the client with the IP address of the
closest resource.
22
Application Load Balancing
23
Split Brain DNS. With split-brain DNS, DNS records are
split into different Zone Scopes on the same DNS server,
and DNS clients receive a response based on whether the
clients are internal or external clients. You can configure
split-brain DNS for Active Directory integrated zones or
for zones on standalone DNS servers.
24
Filtering. You can configure DNS policy to create query filters that are based on criteria that
you supply. Query filters in DNS policy allow you to configure the DNS server to respond in a
custom manner based on the DNS query and DNS client that sends the DNS query.
Query filter criteria
You can create query filters with any logical combination (AND/OR/NOT) of the following criteria.
• Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.77.0/24 -
PassThru
• Add-DnsServerQueryResolutionPolicy -Name "BlockListPolicyMalicious06" -Action IGNORE -
ClientSubnet "EQ,MaliciousSubnet06" -PassThru `
25
Example :
Block queries from a subnet
With this example, you can block queries from a subnet if it is found to be infected by some malware
and is trying to contact malicious sites using your DNS server.
Add-DnsServerQueryResolutionPolicy -Name "AllowListQType" -Action IGNORE -QType
"A,AAAA,MX,NS,SOA" –ServerInterface “EQ,164.8.1.1” -PassThru
26
Allow only certain QTypes
You can apply Allow Lists to QTYPEs.
For example, if you have external customers querying DNS server interface 164.8.1.1, only certain
QTYPEs are allowed to be queried, while there are other QTYPEs like SRV or TXT records which are
used by internal servers for name resolution or for monitoring purposes.
https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries
27
Forensics. You can use DNS policy to redirect malicious DNS clients to a non-existent IP
address instead of directing them to the computer they are trying to reach.
Network Forensics with Windows DNS Analytical Logging
Time of day based redirection.
You can use DNS policy to distribute application traffic across different geographically distributed instances of an
application by using DNS policies that are based on the time of day.
28
29
Use DNS Policy for Application Load Balancing Sample Code:
You can use the following Windows PowerShell commands to create zone scopes.
Add-DnsServerZoneScope -ZoneName “Theways.ir" -Name “HQ ZoneScope“
Add-DnsServerZoneScope -ZoneName " Theways.ir " -Name “BR1 ZoneScope"
Add-DnsServerZoneScope -ZoneName " Theways.ir" -Name “Br2 ZoneScope"
Step 1:
Step 2:
In HQ ZoneScope, you can add the record www.theways.ir with IP address 192.0.0.1, which is located in the
HQ datacenter.
In BR1 ZoneScope, you can add the same record ( www.theways.ir) with IP address 177.0.0.1 in the BR1
datacenter.
Similarly in BR2 ZoneScope, you can add a record ( www.theways.ir) with IP address 77.0.0.1 in the BR2
You can use the following Windows PowerShell commands to create a DNS policy that balances application
traffic across these three datacenters.
30
You can use the following Windows PowerShell commands to add records to the zone scopes.
Add-DnsServerResourceRecord -ZoneName “Theways.ir" -A -Name "www" -IPv4Address "192.0.0.1" -
ZoneScope “HQ ZoneScope
Step3 : Create the DNS Policies
Add-DnsServerQueryResolutionPolicy -Name “ALB Policy" -Action ALLOW -ZoneScope “HQ
ZoneScope,2 ;BR1 ZoneScope,1 ;BR2 ZoneScope,1" -ZoneName “Theways.ir"
You can configure RRL settings to control how to respond to requests to a DNS client when your server receives
several requests targeting the same client. By doing this, you can prevent someone from sending a Denial of
Service (Dos) attack using your DNS servers
31
Response Rate Limiting
32
For instance, a bot net can send requests to your DNS server using the IP address of a third
computer as the requestor. Without RRL, your DNS servers might respond to all the requests,
flooding the third computer. When you use RRL, you can configure the following settings:
• Responses per second. This is the maximum number of times the same response will be
given to a client within one second.
• Errors per second. This is the maximum number of times an error response will be sent
to the same client within one second.
• Window. This is the number of seconds for which responses to a client will be suspended
if too many requests are made.
• Leak rate. This is how frequently the DNS server will respond to a query during
the time responses are suspended. For instance, if the server suspends responses
to a client for 10 seconds, and the leak rate is 5, the server will still respond to one
query for every 5 queries sent. This allows the legitimate clients to get responses
even when the DNS server is applying response rate limiting on their subnet or
FQDN.
33
When you use RRL, you can configure the following settings :
34
TC rate. This is used to tell the client to try connecting with TCP when responses to the client are
suspended. For instance, if the TC rate is 3, and the server suspends responses to a given client, the server
will issue a request for TCP connection for every 3 queries received. Make sure the value for TC rate is
lower than the leak rate, to give the client the option to connect via TCP before leaking responses
Maximum responses. This is the maximum number of responses the server will issue to a client while responses
are suspended.
White list domains. This is a list of domains to be excluded from RRL settings.
White list subnets. This is a list of subnets to be excluded from RRL settings.
White list server interfaces. This is a list of DNS server interfaces to be excluded from RRL settings.
35
DANE support
You can use DANE support (RFC 6394 and 6698) to specify to your DNS clients what CA they should
expect certificates to be issued from for domains names hosted in your DNS server. This prevents a form
of man-in-the-middle attack where someone is able to corrupt a DNS cache and point a DNS name to
their own IP address.
36
For instance, imagine you host a secure website that uses SSL at www.Theways.ir by using a
certificate from a well-known authority named CA1. Someone might still be able to get a
certificate for www.Theways.ir from a different, not-so-well-known, certificate authority named
CA2. Then, the entity hosting the fake www.Theways.ir website might be able to corrupt the DNS
cache of a client or server to point www.Theways.ir to their fake site. The end user will be
presented a certificate from CA2, and may simply acknowledge it and connect to the fake site.
With DANE, the client would make a request to the DNS server for contoso.com asking for the
TLSA record and learn that the certificate for www.Theways.ir was issues by CA1. If presented
with a certificate from another CA, the connection is aborted.
Unknownrecordsupport
37
An "Unknown Record" is an RR whose RDATA format is not known to the DNS server. The newly
added support for unknown record (RFC 3597) types means that you can add the unsupported record
types into the Windows DNS server zones in the binary on-wire format. The windows caching resolver
already has the ability to process unknown record types.
38
IPv6 root hints
The IPV6 root hints, as published by IANA, have been added to the windows DNS server. The
internet name queries can now use IPv6 root servers for performing name resolutions.
39
list of the DNS root servers
Where are the DNS root servers located?
There are hundreds of root servers at over
130 locations all over the world. ICANN² is
responsible for the servers for one of the 13
IP addresses and entrusts the operation of
the rest to various other organizations. In
total,there are 12 organizations held
responsible, with VeriSign operating two of
them³.
40
Windows PowerShell support
41
DNSAttacks
42
43
https://securitytrails.com/blog/most-popular-types-dns-attacks
44
How to protect from DNS spoofing?
Always use a secure connection. Use encryption via SSL or TLS to verify the certificate of the website
you want to visit.
Use DNSSEC – Domain Name System Security Extensions checks the data authenticity with digitally
signed DNS records.
45
What is DNSSEC?
Beginning in 1993, the IETF started thinking about ways to make the DNS system more robust
and secure. And one of the proposed ways to harden the DNS system was to use DNSSEC.
DNSSEC (Domain Name System Security Extensions) was introduced more than ten years later
in 2005 as a new way to improve DNS security.
The DNS protocol is vulnerable to attack due to an inherent lack of authentication and integrity
checking of data that is exchanged between DNS servers or provided to DNS clients. DNSSEC
adds security to DNS responses by providing the ability for DNS servers to validate DNS
responses. With DNSSEC, resource records are accompanied by digital signatures. These digital
signatures are generated when DNSSEC is applied to a DNS zone using a process called zone
signing. When a resolver issues a DNS query for resource record in a signed zone, a digital
signature is returned with the response so that validation can be performed. If validation is
successful, this proves that the data has not been modified or tampered with in any way
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
46
DNS SEC Validation Rate by Country
Summary
47
THANKYOU
GAM Academy
09128986118
www.theways.ir
t.me/EnterpriseAdmins
48

More Related Content

What's hot

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
Nihal Pasham, CISSP
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
Fatima Qayyum
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Dnssec
DnssecDnssec
Dnssec
guest3131f85
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
Security BSides London
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
DNS Entrepreneurship Center
 
A Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionA Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server Version
Yuuki Takano
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
sanjoysanyal
 

What's hot (20)

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Dnssec
DnssecDnssec
Dnssec
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
 
A Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionA Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server Version
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
 

Similar to DNS - MCSE 2019

ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
Data Security Governanace and Consumer Cloud Storage
Data Security Governanace and Consumer Cloud StorageData Security Governanace and Consumer Cloud Storage
Data Security Governanace and Consumer Cloud Storage
Daniel Rohan
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
ICANN
 
AWS Route53
AWS Route53AWS Route53
Rhel4
Rhel4Rhel4
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
phanleson
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
phanleson
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
Dns1111111111
Dns1111111111Dns1111111111
Dns1111111111
hhaazzeemm
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT  AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT  AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Unit VI Overlays
Unit VI OverlaysUnit VI Overlays
Unit VI Overlays
sangusajjan
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Introduction
IntroductionIntroduction
Introduction
hajafaarukh
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical Imaging
Ryan Furlough, BSCPE CPAS
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
viditsir
 

Similar to DNS - MCSE 2019 (20)

ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
Data Security Governanace and Consumer Cloud Storage
Data Security Governanace and Consumer Cloud StorageData Security Governanace and Consumer Cloud Storage
Data Security Governanace and Consumer Cloud Storage
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
 
AWS Route53
AWS Route53AWS Route53
AWS Route53
 
Rhel4
Rhel4Rhel4
Rhel4
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Dns1111111111
Dns1111111111Dns1111111111
Dns1111111111
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT  AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT  AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Unit VI Overlays
Unit VI OverlaysUnit VI Overlays
Unit VI Overlays
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Introduction
IntroductionIntroduction
Introduction
 
Learning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical ImagingLearning series fundamentals of Networking and Medical Imaging
Learning series fundamentals of Networking and Medical Imaging
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 

Recently uploaded

Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. ITNetwork Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Sarthak Sobti
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
DocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptxDocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptx
AmitTuteja9
 
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
Febless Hernane
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
narwatsonia7
 
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENTUnlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
rajesh344555
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
Federico Ast
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
Web Inspire
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
rajesh344555
 

Recently uploaded (15)

Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. ITNetwork Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
DocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptxDocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptx
 
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
 
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENTUnlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
 

DNS - MCSE 2019

  • 1. 1 Milad Es’Haghi DNS Day – 6/12/2019 Theways.ir/GAM Academi
  • 2. 2
  • 3. • The Cold War was on, the USA was investing a lot in defense and technology. In 1958, under the president Eisenhower, ARPA (Advanced Research Projects Agency) started. • The idea of packet switching was presented, and there was a project to connect the Q-32 to the TX-2 computer (MIT’s computer) under the management of Larry Roberts. Later in 1966, the same guy published a paper on ARPANET – a packet switching network that uses TCP/IP protocol. It was like the Internet, but not scalable. It took some more years before it gets a reality. • During the 70s there was a fast growth in the numbers of computers in the world. There were different networks appearing and even some international projects too. There was a lot of development, and many different protocols and programs were created. The first commercial e-mail programs came in 1976. History 3
  • 4. • Before, there was a centralized HOSTS.TXT text that was mapping the current sites. But, thanks to the growing number of sites, the file was getting bigger too, and there was a strong need for a decentralized model • The DNS was created in 1983 and became one of the original Internet Standards in 1986 (After the creation of the Internet Engineering Task Force IETF). The two documents that marked the start are RFC 1034 and RFC 1035. They describe the whole protocol functionality and include data types that it can carry. 4 The DNS has seen various upgrades during its life. The first major one was the introduction of the NOTIFY mechanisms and Incremental Zone Transfer IXFR. Now the servers were able to update dynamically. With the NOTIFY, the master server can “say” to the slave servers that it has an update that it must share. Before, the slaves needed to check periodically
  • 6. 6
  • 19. 19
  • 20. What'sNewinDNSServerinWindowsServer 20 DNS Policies Response Rate Limiting DANE support Unknown record support IPv6 root hints Windows PowerShell support
  • 21. DNSPoliciesOverview 21 •Application Load Balancing. When you have deployed multiple instances of an application at different locations, you can use DNS policy to balance the traffic load between the different application instances, dynamically allocating the traffic load for the application. •Geo-Location Based Traffic Management. You can use DNS Policy to allow primary and secondary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.
  • 23. 23 Split Brain DNS. With split-brain DNS, DNS records are split into different Zone Scopes on the same DNS server, and DNS clients receive a response based on whether the clients are internal or external clients. You can configure split-brain DNS for Active Directory integrated zones or for zones on standalone DNS servers.
  • 24. 24 Filtering. You can configure DNS policy to create query filters that are based on criteria that you supply. Query filters in DNS policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends the DNS query. Query filter criteria You can create query filters with any logical combination (AND/OR/NOT) of the following criteria.
  • 25. • Add-DnsServerClientSubnet -Name "MaliciousSubnet06" -IPv4Subnet 172.0.77.0/24 - PassThru • Add-DnsServerQueryResolutionPolicy -Name "BlockListPolicyMalicious06" -Action IGNORE - ClientSubnet "EQ,MaliciousSubnet06" -PassThru ` 25 Example : Block queries from a subnet With this example, you can block queries from a subnet if it is found to be infected by some malware and is trying to contact malicious sites using your DNS server.
  • 26. Add-DnsServerQueryResolutionPolicy -Name "AllowListQType" -Action IGNORE -QType "A,AAAA,MX,NS,SOA" –ServerInterface “EQ,164.8.1.1” -PassThru 26 Allow only certain QTypes You can apply Allow Lists to QTYPEs. For example, if you have external customers querying DNS server interface 164.8.1.1, only certain QTYPEs are allowed to be queried, while there are other QTYPEs like SRV or TXT records which are used by internal servers for name resolution or for monitoring purposes. https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries
  • 27. 27 Forensics. You can use DNS policy to redirect malicious DNS clients to a non-existent IP address instead of directing them to the computer they are trying to reach. Network Forensics with Windows DNS Analytical Logging
  • 28. Time of day based redirection. You can use DNS policy to distribute application traffic across different geographically distributed instances of an application by using DNS policies that are based on the time of day. 28
  • 29. 29 Use DNS Policy for Application Load Balancing Sample Code: You can use the following Windows PowerShell commands to create zone scopes. Add-DnsServerZoneScope -ZoneName “Theways.ir" -Name “HQ ZoneScope“ Add-DnsServerZoneScope -ZoneName " Theways.ir " -Name “BR1 ZoneScope" Add-DnsServerZoneScope -ZoneName " Theways.ir" -Name “Br2 ZoneScope" Step 1: Step 2: In HQ ZoneScope, you can add the record www.theways.ir with IP address 192.0.0.1, which is located in the HQ datacenter. In BR1 ZoneScope, you can add the same record ( www.theways.ir) with IP address 177.0.0.1 in the BR1 datacenter. Similarly in BR2 ZoneScope, you can add a record ( www.theways.ir) with IP address 77.0.0.1 in the BR2
  • 30. You can use the following Windows PowerShell commands to create a DNS policy that balances application traffic across these three datacenters. 30 You can use the following Windows PowerShell commands to add records to the zone scopes. Add-DnsServerResourceRecord -ZoneName “Theways.ir" -A -Name "www" -IPv4Address "192.0.0.1" - ZoneScope “HQ ZoneScope Step3 : Create the DNS Policies Add-DnsServerQueryResolutionPolicy -Name “ALB Policy" -Action ALLOW -ZoneScope “HQ ZoneScope,2 ;BR1 ZoneScope,1 ;BR2 ZoneScope,1" -ZoneName “Theways.ir"
  • 31. You can configure RRL settings to control how to respond to requests to a DNS client when your server receives several requests targeting the same client. By doing this, you can prevent someone from sending a Denial of Service (Dos) attack using your DNS servers 31 Response Rate Limiting
  • 32. 32 For instance, a bot net can send requests to your DNS server using the IP address of a third computer as the requestor. Without RRL, your DNS servers might respond to all the requests, flooding the third computer. When you use RRL, you can configure the following settings:
  • 33. • Responses per second. This is the maximum number of times the same response will be given to a client within one second. • Errors per second. This is the maximum number of times an error response will be sent to the same client within one second. • Window. This is the number of seconds for which responses to a client will be suspended if too many requests are made. • Leak rate. This is how frequently the DNS server will respond to a query during the time responses are suspended. For instance, if the server suspends responses to a client for 10 seconds, and the leak rate is 5, the server will still respond to one query for every 5 queries sent. This allows the legitimate clients to get responses even when the DNS server is applying response rate limiting on their subnet or FQDN. 33 When you use RRL, you can configure the following settings :
  • 34. 34 TC rate. This is used to tell the client to try connecting with TCP when responses to the client are suspended. For instance, if the TC rate is 3, and the server suspends responses to a given client, the server will issue a request for TCP connection for every 3 queries received. Make sure the value for TC rate is lower than the leak rate, to give the client the option to connect via TCP before leaking responses Maximum responses. This is the maximum number of responses the server will issue to a client while responses are suspended. White list domains. This is a list of domains to be excluded from RRL settings. White list subnets. This is a list of subnets to be excluded from RRL settings. White list server interfaces. This is a list of DNS server interfaces to be excluded from RRL settings.
  • 35. 35 DANE support You can use DANE support (RFC 6394 and 6698) to specify to your DNS clients what CA they should expect certificates to be issued from for domains names hosted in your DNS server. This prevents a form of man-in-the-middle attack where someone is able to corrupt a DNS cache and point a DNS name to their own IP address.
  • 36. 36 For instance, imagine you host a secure website that uses SSL at www.Theways.ir by using a certificate from a well-known authority named CA1. Someone might still be able to get a certificate for www.Theways.ir from a different, not-so-well-known, certificate authority named CA2. Then, the entity hosting the fake www.Theways.ir website might be able to corrupt the DNS cache of a client or server to point www.Theways.ir to their fake site. The end user will be presented a certificate from CA2, and may simply acknowledge it and connect to the fake site. With DANE, the client would make a request to the DNS server for contoso.com asking for the TLSA record and learn that the certificate for www.Theways.ir was issues by CA1. If presented with a certificate from another CA, the connection is aborted.
  • 37. Unknownrecordsupport 37 An "Unknown Record" is an RR whose RDATA format is not known to the DNS server. The newly added support for unknown record (RFC 3597) types means that you can add the unsupported record types into the Windows DNS server zones in the binary on-wire format. The windows caching resolver already has the ability to process unknown record types.
  • 38. 38 IPv6 root hints The IPV6 root hints, as published by IANA, have been added to the windows DNS server. The internet name queries can now use IPv6 root servers for performing name resolutions.
  • 39. 39 list of the DNS root servers Where are the DNS root servers located? There are hundreds of root servers at over 130 locations all over the world. ICANN² is responsible for the servers for one of the 13 IP addresses and entrusts the operation of the rest to various other organizations. In total,there are 12 organizations held responsible, with VeriSign operating two of them³.
  • 41. 41
  • 44. 44 How to protect from DNS spoofing? Always use a secure connection. Use encryption via SSL or TLS to verify the certificate of the website you want to visit. Use DNSSEC – Domain Name System Security Extensions checks the data authenticity with digitally signed DNS records.
  • 45. 45 What is DNSSEC? Beginning in 1993, the IETF started thinking about ways to make the DNS system more robust and secure. And one of the proposed ways to harden the DNS system was to use DNSSEC. DNSSEC (Domain Name System Security Extensions) was introduced more than ten years later in 2005 as a new way to improve DNS security. The DNS protocol is vulnerable to attack due to an inherent lack of authentication and integrity checking of data that is exchanged between DNS servers or provided to DNS clients. DNSSEC adds security to DNS responses by providing the ability for DNS servers to validate DNS responses. With DNSSEC, resource records are accompanied by digital signatures. These digital signatures are generated when DNSSEC is applied to a DNS zone using a process called zone signing. When a resolver issues a DNS query for resource record in a signed zone, a digital signature is returned with the response so that validation can be performed. If validation is successful, this proves that the data has not been modified or tampered with in any way