Understand and Secure Your Windows DNS Infrastructure
The Internet would be brought to its knees if DNS functionality were disrupted. With the advent of Windows 2000, your Windows network has a DNS Achilles heel, too. In the days of NT 4, Windows depended on the Windows Internet Naming System (WINS) for name resolution. In this environment NetBIOS broadcasts are redirected to a central WINS server. It is easy to set up, but not very secure. Thankfully modern Windows DNS gives us the ability to create a secure name resolution environment with dynamic updates.
Why is DNS so important in a Windows network? DNS does an assortment of important tasks for us. It tells hosts where to find servers and workstations in the domain. You may be familiar with type "A" DNS resource records. These records link a host name to its IP address. When you map a drive to \fileserver.domain.comshare one of the first things that Windows does is lookup the DNS A record for "fileserver." This returns the IP address for "fileserver" and Windows will then communicate with the server via its IP address. Modern Windows hosts use dynamic DNS to update their A records once every 24 hours, upon reboot, and when renewing a DHCP lease.
Windows also uses DNS to find domain controllers. To achieve this Microsoft DNS implements SRV records. These records provide more information than the simple host name to IP address mapping of an A record. The SRV records return the name of the host that is providing a specific service as well as the port that the service is listening on. SRV records can also return priority and weight fields, but these are not used for domain controller lookup. Run the following at a command prompt to see a list of the domain controllers on your domain:
For your domain's PDC emulator try:
Because DNS is so important in a modern Windows network, care must be taken to ensure high availability. Be sure that you are running at least two DNS servers. This can be done using Active Directory (AD) integrated DNS or by setting up primary and secondary DNS servers. When using AD integrated DNS, the DNS records are stored inside AD allowing multi-master replication. In other words, each DNS server can accept dynamic updates from servers and workstations. The changes are then replicated through AD to the other DNS server(s). With primary and secondary servers, only the primary server can receive updates. The secondary server gets a copy of the DNS database and will refer any dynamic updates to the primary server. Type the following at a command prompt to see your primary DNS server:
ls -t soa YOUR_DOMAIN
With AD integrated DNS this command will return whichever AD integrated DNS server you are currently talking to.
If you have two DNS servers setup consider a few additional steps to increase the likelihood that at least one of your DNS servers will always be available. If you have several racks in your data center you can locate the DNS servers in different areas. You might also want to put the DNS servers on different subnets.
Now that we have been thoroughly introduced to the importance of DNS in a Windows environment, let's take a closer look at security. Most administrators are not going to have time to manually update DNS resource records for each host in their domain every time an IP address changes. This means that dynamic updates are probably enabled. With this option enabled, hosts on your domain can dynamically update their IP address in DNS. Ideally you should use AD integrated DNS with the "secure updates only" option because this will use Kerberos authentication for dynamic DNS updates. Non-AD integrated DNS cannot use secure updates. Follow these steps to see if you are running AD integrated DNS:
1. Click Start, point to Administrative Tools, and then click DNS
2. Under DNS, double-click the applicable DNS server, double-click Forward Lookup Zones or Reverse Lookup Zones, and then right-click the applicable zone
3. Click Properties
The type field should read Active Directory-Integrated. If it does not then you can click on the "Change" button and check the box for "Store the zone in Active Directory." Once your zone is stored in AD you can set the "Dynamic updates:" option to "Secure only."
Of course, there are a few issues to deal with when switching to AD integrated DNS. Once you make the switch, each DNS resource record will have a set of permissions attached to it. Normally when a host creates a new resource record in an AD integrated zone it will be granted permission to update that resource record in the future. Unfortunately, when a DNS zone is converted to AD integrated, the default permissions do not grant a host the ability to update its own resource record. This means that as hosts get new IP addresses they will not be able to update themselves in DNS.
There are a few ways to get around this little problem. First, you can delete all of your DNS host records after converting to AD integrated DNS. Within 24 hours each Windows 2000 or newer host will create a new resource record for itself in DNS. Another option is to enable scavenging before switching to AD integrated DNS. This will put a time stamp on each of the DNS records dynamically updated by hosts. After switching to AD integrated DNS, each host record will eventually age out because the record will not be updated. Within 24 hours the aged host record will be added back with the correct permissions. Finally, you can manually give permissions to the AD computer object for each host record.
Remember, without DNS your Windows network will cease to function. Be sure that you have a good understanding of your DNS environment and take the necessary steps to secure it properly.
How to configure DNS dynamic updates in Windows Server 2003