S 2.413 Secure use of DNS for Active Directory

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

An Active Directory installation usually consists of several servers with different directory partitions. In order to make access easier for the clients and between the servers, for example for replication, Active Directory uses the Domain Name System (DNS) to search for Active Directory servers. The DNS service can therefore be viewed as a fundamental component of the Active Directory.

In order to ensure the integrity and availability of the Active Directory, it must be ensured that DNS client requests cannot be forwarded incorrectly by unauthorised systems in the network. In Windows environments, the DNS data should be protected by DNS zones on the domain controllers that have been integrated into Active Directory. In this case, the zone-specific DNS data is stored in the "MicrosoftDNS" container of the Active Directory.

The configuration data for the DNS zones integrated into Active Directory are stored in the Windows registry. Access to the configuration data should be restricted to administrative accounts only.

The following only addresses DNS zones integrated into Active Directory and therefore only addresses the features supporting the secure operation of Active Directory that are specific to Windows servers. More comprehensive, general safeguards for securing DNSs are not described here.

In order to protect the DNS infrastructure, the DNS servers should be protected, the DNS data stored on the DNS servers should be adequately protected, and the integrity of the DNS responses to the client requests should be protected during transmission. The following describes possible ways of implementing such protection.

In order to guarantee the integrity of the DNS data stored temporarily in the cache on the domain controller, it is necessary to enable the "Secure cache against pollution" option for the DNS server process. This is to ensure that only authorised DNS entries can be placed in the cache.

Access to the DNS service of the domain controller should be restricted to the greatest extent possible. This can be achieved by restricting the DNS service (UDP Port 53) on the security gateway between two network segments, for example. The DNS service must be available in this case for the following components:

• between the DNS clients and the corresponding DNS server,
• between DNS servers that carry out zone transfers,
• between DNS servers that delegate the client requests to the corresponding zones and the DNS servers responsible for the particular zone,
• between DNS servers that forward the client requests and the DNS servers in higher levels of the hierarchy.

Furthermore, the network activity should be monitored in terms of the DNS requests, since an unusually large number of simultaneous DNS requests is an indication of a denial-of-service attack (DoS attack) against a DNS server and therefore an attack against a domain controller as well under certain circumstances. In this case, the attacker should be identified as quickly as possible and corresponding countermeasures introduced (see also S 6.106 Creation of a business continuity plan for the failure of a directory service).

It is possible to ensure the confidentiality, authenticity, and integrity of the IP data traffic in the network using Internet Protocol Security (IPsec). When IPsec is used to establish connections, the clients and servers perform mutual authentication so that the authenticity of the data can be verified by the DNS client.

The integrity of the DNS data during transmission can be protected by IPsec using the Authentication Header (AH) and/or by the Encapsulating Security Payload (ESP).

In contrast to the authentication header of the IPsec, the data traffic is also encrypted when ESP is used. ESP therefore also ensures the confidentiality of the DNS data. ESP should be used for exactly this reason.

The amount of data transmitted increases through the use of IPSec. For this reason, it should be ensured before using IPsec that adequate resources are available so that adequate data transmission rates are available in the network when the use of encryption and/or signatures is enabled.

Adequate protection of the DNS data stored

The following aspects should be taken into consideration for the protection the DNS data on the server:

• A DNS server is supplied with all Windows server operating systems. If this DNS server is used, it must be configured in such a way that only registration requests from authorised clients in the overall Active Directory structure are processed. If it is not used, it should be disabled.
• If a DNS server from a different manufacturer is used, it must be ensured that this product supports secure dynamic updating of the DNS data and that the server is configured accordingly.

• User access to the DNS data in the corresponding Active Directory container "MicrosoftDNS" should be set up using ACLs so that only administrators, domain administrators, enterprise administrators, and DNS administrators have full access to the domain data.

• The administration of the DNS server, and therefore of the DNS data as well, is just as critical as the configuration of the Active Directory.
  
  For this reason, the same procedure as when assigning authorisations to the service administrator accounts should be used when assigning administrator authorisations (see S 2.411 Separation of the administration of services and data of an Active Directory)

• Information on secondary DNS zones is not stored on a domain controller in the Active Directory, but in a text-based zone file instead. If possible, a distributed DNS structure should be used in which a given DNS server only administrates one zone and corresponding client requests from the other servers are forwarded to the DNS server responsible.
  
  If secondary DNS zones cannot be avoided in this manner, for example due to the increase in the volume of data, the zone file must be protected against unauthorised access using NTFS authorisations.
  
  Only the general administrators, domain administrators, enterprise administrators, and DNS administrators should have full access to the data of the secondary domains.

Additional information on the configuration of DNS servers can be found online in the documents "Best Practice Active Directory Design for Managing Windows Networks" and "Best Practice Active Directory Deployment for Managing Windows Networks" in the Microsoft TechNet (http://technet.microsoft.com).

Review questions:

• Are integrated DNS zones and/or secure dynamic updating of the DNS data used in order to prevent DNS client requests from unauthorised systems?
• Is access to the configuration data of the DNS server only admissible from administrative accounts?
• Is the DNS cache on DNS servers protected against unauthorised changes?
• Is access to the DNS service of the domain controllers (e.g. at the security gateway) restricted to the required extent?
• Is the network activity monitored with respect to DNS requests?
• Use of IPSec for protecting the DNS communication: Is adequate data throughput guaranteed in the network?
• Is access to the DNS data in the Active Directory restricted to administrators using ACLs?
• Are secondary DNS zones avoided or is the zone file at least protected against unauthorised access?