DNS security

[boomboom999]

We have Active Directory with 5000 users, and every Domain Controller
is a DNS server as well. To allow resolving external DNS adresses there
are two options:

1. Open outbound TCP/UDP 53 connections from the domain controllers
toward the Internet.

2. Use an intermediate forwarder DNS servers



1. Pros and Cons for a direct connection

+ Simplier solution
+ No additional hardware/software required
+ No risk of hijacking external DNS resolution by a hacker

- If I open outbound UDP, I should also allow inbound UDP responses. As
UDP is connectionless, there is no way for the firewall to make sure
that inbound packets are related to the previous outbound packets. So,
it is possible to send some corrupted UDP packets to the internal
Domain Controllers and cause a DoS or take control of the Active
Directory

- There were vulnerabilities in BIND like this one

http://www.kb.cert.org/vuls/id/844360

An incorrect DNS response can causer a buffer overflow on the internal
server -> remote code execution -> phoning home -> taking control over
the Active Directory

2. Pros and Cons for a connection via forwarder

Same points in reverse order.

An additionnal Con point for the forwarder - if someone take control
over the DNS forwarder (ISP's one or our own forwarder) it is possible
to hijack and manipulate all the external DNS requests, redirect
trafic, sniff it etc. So, if I go with forwarder, it would be necessary
to put it into a separate DMZ that is not exposed to inbound
connections.

What would you recommend?

 

[Kevin D. Goodknecht Sr. [MVP]]

We have Active Directory with 5000 users, and every Domain Controller
is a DNS server as well. To allow resolving external DNS adresses
there are two options:

1. Open outbound TCP/UDP 53 connections from the domain controllers
toward the Internet.

2. Use an intermediate forwarder DNS servers

It depends on how well you trust your intermediate forwarder.
Some firewalls also support being a DNS proxy, if that is the case you could
use the firewall as the forwarder.

1. Pros and Cons for a direct connection

+ Simplier solution
+ No additional hardware/software required
+ No risk of hijacking external DNS resolution by a hacker


2. Pros and Cons for a connection via forwarder

The Pros for using a forwarder is that it gets its responses directly back
from the forwarder taking advantage of getting records that have been cached
on the forwarder.

The cons are pretty much covered in your statement below.

Same points in reverse order.

An additionnal Con point for the forwarder - if someone take control
over the DNS forwarder (ISP's one or our own forwarder) it is possible
to hijack and manipulate all the external DNS requests, redirect
trafic, sniff it etc. So, if I go with forwarder, it would be
necessary to put it into a separate DMZ that is not exposed to inbound
connections.

What would you recommend?

Keep as much authority as you can on the local DNS by using a delegated root
zone, the cons to this is that it increases the Administrative tasks with
keeping the delegated root updated.
It is possible to use a secondary delegated root zone getting a zone
transfer from the root servers themselves. IIRC, you can get a zone transfer
from any of them but the A root server.
Your DNS will have authority over that root, and get authoritative answers
from the TLD servers. Your DNS will build up its own cache of authoritative
NS records and your DNS will get its answers using the cached NS records.
Since the root server and TLD servers don't support recursion, you will only
have to worry about getting bad answers from the Authoritative servers for
the domain.
Someone would have to take control over the authoritative DNS servers for
the domain you are resolving because you have control over your own root
zone that uses its own delegations for TLDs it resolves.
294906 - How to Delegate All Internet Top-Level Domains on an Internal Root
DNS Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;294906&sd=RMVP