Securing DNS
Domain Name System Security Extensions (DNSSEC) add security to DNS by enabling DNS servers to validate the responses given by other DNS servers. DNSSEC enables digital signatures to be used with DNS zones. When the DNS resolver issues a query for a record in a signed zone, the authoritative DNS server provides both the record and a digital signature, enabling validation of that record. To configure DNSSEC, perform the following steps: 1. Right-click the zone in DNS manager, click DNSSEC, and then click Sign The Zone. 2. On the Signing Options page, select Use Default Settings To Sign The Zone. When you configure DNSSEC, three new resource records are available. These records have the following properties: Resource Record Signature (RRSIG) record. This record is stored within the zone, and each is associated with a different zone record. When the DNS server is queried for a zone record, it returns the record and the associated RRSIG record. DNSKEY. This is a public key resource record that enables the validation of RRSIG records. Next Secure (NSEC/NSEC3) record. This record is used as proof that a record does not exist. In addition to the special resource records, a DNSSEC implementation has the following components: Trust anchor. This is a special public key associated with a zone. Trust anchors enable a DNS server to validate DNSKEY resource records. If you deploy DNSSEC on a DNS server hosted on a domain controller, the trust anchors can be stored in the Active Directory forest directory partition. This replicates the trust anchor to all DNS servers hosted on domain controllers in the forest. DNSSEC Key Master. This is a special DNS server that you use to generate and manage signing keys for a DNSSEC-protected zone. Any computer running Windows Server 2012 or later that hosts a primary zone, whether standard or integrated, can function as a DNSSEC Key Master. A single computer can function as a DNSSEC Key Master for multiple zones. The DNSSEC Key Master role can also be transferred to another DNS server that hosts the primary zone. Key Signing Key (KSK). You use the KSK to sign all DNSKEY records at the zone root. You create the KSK by using the DNSSEC Key Master. Zone Signing Key (ZSK). You use the ZSK to sign zone data, such as individual records hosted in the zone. You create the ZSK by using the DNSSEC Key Master. You can configure group policy to ensure that clients only accept records from a DNS server for a specific zone if those records have been signed using DNSSEC. You do this by configuring the Name Resolution Policy Table, which is located in the Computer Configuration\Policies\Windows Settings\Name Resolution Policy node of a GPO. You create entries in the tableāfor example, requiring that all queries against a specific zone require DNSSEC validation. You can configure the NRPT by using Group Policy or through Windows PowerShell. DNSSEC is appropriate for high security environments, such as those where IPSec and authenticating switches are in use. DNSSEC protects against attacks where clients are fed false DNS information.