What is DNS?
In simple words, DNS allows us to search the internet using names that we are familiar with instead of IP addresses.
Let’s make things simple. In networking, computers and devices can communicate with each other using IP addresses, so when a device want s to send data to another, it uses the target device IP address.
Now, any website on the internet is hosted on a server, and this server has an IP address, so when you want to browse that website you have to request it theoretically using its IP address. but imagine that you have to memorize all IPs of servers hosting websites all over the world!
Obviously, we need a solution. and here where the DNS comes.
Simply the DNS maps between IP address and names so each device can be accessed by a name. It’s somehow like a phonebook.
If you type www.google.com in your browser address bar. And the IP address for google.com is in your local memory the browser will open google.
Now If the IP address is not in your local memory. Your computer will go out to the internet where it will query a group of DNS servers trying to find the IP of google.
If the first server does not have google.com record, it passes that request on to the next server and so on until it finds a match.
When the IP record is found, it passes it back along with all the DNS servers that your computer request has passed into.
Each time a requesting DNS server finds a domain name record match, the IP address is stored in the server’s local memory so the next time the DNS server will be able to respond more quickly.
Now your computer has the IP of Google it will save it in its memory for later use. and now it can access it using its name.
Installing DNS role on Windows Server 2016
Let’s now see how to install DNS on our server. And for that, you need a running windows server 2016 OS physically or on a virtual machine, you can use Virtualbox if you want as a virtual hypervisor.
Before we start, you need to make sure that your server IP address is configured as static.
For sure you can use any IP you want, this image is just an example.
- In Server Manager click on add roles and features.
2. Select Installation type – Select Role-based or feature-based installation. And Press next.
3. Select a destination server, then press next (In our case it’s our local server)
4. Select server roles – Select the DNS server role. Press next
5. By default, this will install the administration tools such as DNS MMC. Click Select Add Features
This is the DNS installation summary. Click Next and install.
After the installation finishes. you will see the DNS role on the left side panel in Server manager.
From Server manager select tools, click DNS manager, the server role is now up and ready to be configured.
Great! Here is how you can install DNS on your windows server.
After we installed the DNS role, lets now go over the DNS basics explaining the following topics:
- Hosts File.
- DNS Console.
- DNS Record types.
- Create Forward lookup zone.
- Recursive and iterative queries.
Before DNS servers, Windows used a “Hosts” file to map an IP address to names.
This host file still exists and you can use it in several scenarios. As an example, When you want to block a website on your computer, you map your local address (127.0.0.1) to the website name, then the website will be redirected to your local address where it doesn’t exist so it will not open.
The host file is located in “C:\Windows\System32\Drivers\etc\hosts”
In order to edit this file, you will need to open a text editor with administrative rights.
- Right-click Notepad and select Run as administrator.
- Then open the “host” file from your explorer.
This file is commonly used by hackers to do what is called DNS poisoning. Meaning, they enter a different IP address for a common website like facebook.com, but instead of putting FaceBooks IP address they put in the IP address of a phishing website that looks like FaceBook in order to steals username and password or other personal information.
Let’s do A small trick.
Add the following line to this file and save it:
Now try to browse Facebook on your computer!
You will find that Facebook is not opening, this is what I meant before that you can block a website using the host file.
Also, you can try to ping facebook.com, you will find that it will return (127.0.0.1) as the facebook IP address which is your local address.
To Open the DNS manager (management console), Go to Server Manager > Tools > DNS.
This console allows you to manage your local DNS as well as any remote DNS server on your network.
If you want to connect to a remote DNS, Right click on DNS and click connect to a server.
Now let’s expand the server node, we will find the following:
Forward Lookup Zones – Most common type of Zone, DNS clients use this zone to provide a mapping from hostnames to IP addresses.
Reverse Lookup Zone – DNS clients use this zone to provide a mapping from IP addresses to hostnames.
Trust Points – A trust point is a public cryptographic key for a signed zone.
Conditional Forwarders – A DNS server that forwards all the queries it receives based upon the name designated in the query, to the IP address of a specific DNS server or servers.
Root Hints file – If your network is connected to the internet this file contains DNS root server mapping records, for DNS servers that are located on the internet.
Forwarders – A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for external DNS names to DNS servers outside that network.
Now if we Right click on the server name, the following items will be shown:
Configure a DNS Server: helps in creating a forward and reverse lookup zone, root hints, and forwarders.
Create Default Application Directory Partitions: Here you can control the scope of replication for the zone that is stored in a partition.
New Zone: Create different types of zones (primary, secondary, Stub zone).
Set Aging/ Scavenging for all Zones: Provides cleanup of stale resource records, which can accumulate in zone data over time.
Scavenge Stale recourse records: Command to removes all stale records on the server.
Update Server Data Files: Forces an update to the record file, no matter where it is stored, whether in an AD or a text file.
Clear Cache: Force flush DNS server cache.
Launch nslookup: Allows you to troubleshoot DNS problems.
Now let’s open the Serer’s properties, we will get the properties box.
Interfaces: Shows network cards on your server. and configure DNS with certain IPs.
Forwarders: List the DNS servers that can resolve DNS queries for records that this server cannot resolve.
Disable recursion: Avoid attackers to take advantage of a server that is not intended to receive recursive queries. we will explain recursion later.
Enable BIND secondaries: Enables a Microsoft DNS server to replicate zone data with a UNIX based DNS server.
Fail on load if bad zone data: By default DNS servers will skip errors. If you want the DNS server to fail when loading a zone with bad data, select this check box.
Enable round robin: Used in load balancing.
Enable netmask ordering: Reducing network traffic that forces clients to receive their network queries from the closest DNS servers.
Secure cache against pollution: Prevents the caching of bad queries, by configuring this option, you can enable or disable the method of adding resource records to the cache.
Root Hints: Lists DNS root servers that are located on the internet.
Debug Logging: To assist with debugging DNS, you can record the packets sent and received by the DNS server to a log file.
Event Logging: The DNS event log maintains a record of errors, warnings and other events encountered by the DNS server.
Monitoring: Use this to verify the configuration of the DNS server
Security: Configure groups or users by allowing or denying various permissions.
DNS hold different types of records which are responsible for mapping between IPs and names.
The resource record types we will cover are the SOA, NS, A, PTR, CNAME, MX, and SRV resource record types.
SOA: Every DNS zone has an SOA record, this contains some information about the zone.
NS: Allows you to delegate the DNS of one of your subdomains to a different nameserver.
A: Maps an FQDN (fully qualified domain name) to an IP address. (this is the most used record type)
PTR: The exact opposite of the A record. Maps an IP to a name. (Used in reverse zones to get the Name using an IP)
CNAME: Alias name of a certain FQDN.
MX: Used to specify mail servers on your network. such as exchange servers.
SRV: Allows you to specify servers for a particular service or protocol. like a record for a web server on your domain.
4. Create Forward lookup zone.
In the DNS manager, double-click Forward Lookup Zone.
Right click on Forward Lookup Zone, click new zone, click next, click next (Primary Zone), click next.
For Zone name: type “YourZoneName”, then click next, click next again, then click finish.
The new zone is displayed.
5. Recursive and Iterative Queries
Simply in this type of Queries, the DNS not stop the request until it gets an answer (name resolution) in a way it will contact other servers in an attempt to resolve the name.
Here, the DNS server will try to resolve the name from either its zone or its cache, and it will not attempt to contact other DNS servers to obtain results.
In this scenario, the client pc wants to resolve the IP address if “xyz.com”, SO the first is to check its cache if contains this record, if not, then it will send a recursive query to the ISP DNS server requesting the IP address.
The ISP will look into its cache, again, if not found the ISP DNS server will send now an iterative query the root DNS servers on the internet, again the process will repeat to the .com servers, then to the target xyz.com server then the IP map will be sent to the client machine, and all servers will save the record to its cache until next flush.
A DNS zone is a is a collection of DNS resource records (like xyz.com and its associated IP address).
There are two main types of DNS zones; forward and reverse lookup zones.
Forward Lookup Zones
Converts a domain name to an IP address.
An example would be typing the command “nslookup google.com” in the command line. This would be a forward lookup.
Reverse Lookup Zones
Converts an IP address to a domain name. For example, you can ask a DNS server what hostname uses the IP address of 10.0.2.6, the reverse lookup zone will provide the DNS hostname.
A primary zone is a DNS zone that this DNS server is the primary source of information.
A secondary zone is a read-only replica of a primary DNS zone that is hosted on another remote DNS server.
If you try to make a change in a secondary DNS zone, the change request will be passed on to the server which holds the primary zone. If the server is available, the change will be made.
The purpose of a secondary DNS zone comes down to redundancy. If the server hosting the primary copy is unavailable, this server will be available for use by clients in its place.
A stub zone is similar to a secondary zone in that it is a read-only zone that obtains its information from other DNS servers. The main difference between a stub zone and a secondary zone is that while a secondary zone contains an exact replica (including all resource records) of a primary zone, a stub zone only contains information about authoritative name servers.
Let’s say that you are IT administrator of a certain company that has a DNS server with the following Zones:
- Zone1: US Departments.
- Zone2: UK Departments.
- Zone3: CA Departments.
- Zone4: JP Departments.
So we have 4 large zones with thousands of records.
In this scenario we will have several problems we have to take care of:
- All the Domains are hosted on one server – The main Company server.
- All the records from all the sites in the organization are stored on one server, The main Company server.
- Network bandwidth is extremely limited due to all the queries coming to one server, which continually hangs and crashes.
What we will do now is that we will get two other servers, one for the US and One for the UK and separate the DNS traffic and zones.
With this strategy, we will accomplish the following:
Delegate administrative authority. Instead of the IT group handling all the requests for All the countries. The IT group in the US will take administrative control of their own namespace. and the one in the UK will handle their DNS requests.
Improved Performance – Instead of one server handling all the DNS requests, the traffic will be spread over multiple DNS servers.
The DNS tree structure looks like an upside-down tree with the root at the top.
This is an illustration of the DNS tree structure. Here we have the Root Domain represented by a dot, the Top-Level Domain, the Second- Level Domain and the Sub-Domain.
In this picture, the root is at the top; it is represented by a period at the end of a name, such as www.h-educate.com(.) The dot is not generally used, but it designates that the name is located at the root or highest level of the domain hierarchy.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated.
DNS does not offer any form of security, it is vulnerable to spoofing, man-in-the-middle, and cache poisoning attacks.
Attacks of this kind can compromise all future communications to the host. For this reason, it has become critical to develop a means for securing DNS.
DNSSEC fixes Cache poisoning, which is a long-standing potentially crippling vulnerability in the Domain Name System – Cache Poisoning is inducing a name server to cache bogus resource records.
Those records might map the domain name of a popular website — say, www.facebook.com — to the IP address of a Web server under the control of thieving hackers.
That Web server may serve content that’s indistinguishable from facebook’s real content; in fact, the Web server may just proxy content from the real www.facebook.com.
Unsuspecting users may enter valuable information at the impostor’s website, where it’s recorded and used to break into those users’ accounts.
Cache poisoning illustration:
- The victim sends out a query to the local DNS server for the website www.facebook.com.
- The query from the victim is either observed or predicted by the attacker.
- The attacker then beats the name server to a response sending corrupt DNS data to the server’s cache and the victim is sent to a malicious website.
How does DNSSec address cache poisoning?
DNSSec addresses cache poisoning signing DNS zones, in this way DNS servers and resolvers create a chain of trust which enables them to trust the DNS responses by using digital signatures for validation.
- A user types facebook.com into their computers browser.
- The request goes to the Local DNS server which does not have the Domain Name or IP address for facebook.com in its local cache so it passes the request on to the next DNS server (ISP).
- Can’t find the record also so it passes the request onto the root server which is a DNSSEC enabled server.
- The root hints server (also known as a trust anchor) or starting point contains a key that is used to create digital signatures for DNS data that is passed between servers or the client.
- The root server doesn’t have the IP address or the hostname for facebook.com but because the request is for a .com, the root DNS server sends the request to the .comb server which is a DNSSEC enabled server.
- The .com server looks in its cache and in this case, it finds www.facebook.com and sends the request to the facebook.com DNSSEC enabled DNS server.
- Which sends the IP address for www.Usoft.com to the local user.
Notice the yellow locks and the “Chain of Trust”.
- What the root hints server is saying is that it trusts the .com server and in turn, the .com server trusts the facebook server.
- The chain of trust is saying that A server that is DNSSEC enabled can use the digital signatures from the root server to verify that the DNS data is authentic and has not been tampered with.
- If the user computer trusts the server at facebook.com then the user receives the IP address.
- When the hacker tries to insert DNS records into the DNS zone of facebook.com. The DNSSEC enabled server would be able to reject the inserted records after they failed validation.