New DNS features in Windows Server 2012

This video will look at the two new features that are included in DNS server for Windows Server 2012.

Download the PDF handout href="http://ITFreeTraining.com/handouts/dn...

What's new in DNS in 2012
Windows Server 2012 across the board adds additional administration features to PowerShell. With DNS in Windows Server 2012, features have been added that allow all functionally that can be performed with the graphical DNS Manager to be performed using PowerShell. The DNS role itself can also be added or removed using the command prompt.

DNSSEC was available in Windows Server 2008 but in Windows Server 2012 additional features have been added.

What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions. DNS replicates data between each other and this data is not encrypted so an attacker could potentially modify this data when it travels over the internet. DNSSEC provides a way to test the data that has been transferred that it has not been modified. It also provides a method for checking the identification of a DNS server so an attacker cannot create their own DNS server and disguise it as an authoritative DNS Server. In a lot of companies they will use VPN connections or other secure connections like IPSec to secure data travelling over the internet. If this is the case, even though the DNS traffic itself is not encrypted, the tunnel it is travelling over is encrypted and thus prevents it from being modified by an attacker. The next issue is that if an attacker did create a fake DNS server, DNSSEC provides a method for the client to check that the DNS server is a legitimate DNS server. This is performed by DNSSEC adding a signature to the DNS record when it is given to the client. This means the DNS record itself is still not encrypted but can be checked against the signature.

Trust Anchors
A trust anchor in DNS is a point where the trust model starts. In the case of certificates you have a root CA which forms the root of the trust model. DNSSEC likewise has a trust anchor that is at the top of the DNS hierarchy, each DNS server in the hierarchy is chained to this trust anchor. The problem occurs in that a DNS server may not support DNSSEC which is in the chain. When this occurs the chain for trust if broken and the DNS data cannot be considered secure.

When the chain of trust is broken, an administrator may decide to add their own trust anchor. For example, the chain of trust may be broken at the last server which is the ISP's DNS server. If the connection back to the ISP is secure, the administrator may not consider this to be a problem. If this is the case, a new trust anchor can be added to the client computer to allow them to use DNSSEC even though a complete chain of trust is not available back to the root hint server.

The ability to add trust anchors was present in Windows Server 2008, however with Windows Server 2012 you can now see these trust anchors in DNS Manager making them easy to administer.

Key Management
In order to use DNSSEC there are a number of keys that need to be managed. In Windows Server 2008 this was more of a manual process. In Windows server 2012 this is more automated. Firstly a key must be changed after a certain amount of time in order to have good security. The longer you have the same key, the higher the probability that it could be hacked. Windows Server 2012 has a feature called automated key rollover which makes this process automatic.

Windows Server 2012 also comes with a feature called The Key Master. This allows DNSSEC keys to be stored in the one primary zone making administration a lot simpler.

See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.

References
"What's New in DNS Server in Windows Server 2012" http://technet.microsoft.com/en-us/li...
"Overview of DNSSEC" http://technet.microsoft.com/en-us/li...
"Securing the Root: The root of the problem, creating a trust anchor(s)" http://www.internetgovernance.org/200...

---

Closed Caption:

In this video from ITFreeTraining I will look
at the new features in DNS for Windows Server
2012. There are only 2 new features so let's
have a look.
The first feature is improved PowerShell support.
With Windows Server 2012 in general, PowerShell
support has increased across the board. In
DNS, all user interface commands are now support
in PowerShell. Whatever you can achieve in
the user interface, you can achieve in PowerShell.
You can also add and remove the DNS role from
PowerShell if you need to.
The next feature is improved support for DNSSEC.
DNSSEC essentially provides additional security
for DNS preventing DNS records and DNS transfers
from being tampered with by an attacker. DNSSEC
was available in Windows Server 2008, but
has been improved in Windows Server 2012.
I will now have a closer look at the improvements
for DNSSEC, but first a brief introduction
to DNSSEC.
DNSSEC stands for Domain Name System Security
Extensions. It is essentially an extension
to DNS that prevents data from be tampered
with or faked. Traffic between DNS servers
and the clients is not encrypted so can be
modified. For example. Consider a Primary
DNS server and secondary Server. As changes
happen to the primary zone, these changes
need to be sent to the secondary server.
If you have additional security on your network,
for example VPN or using IPSec to secure communication,
this will not be too much of a concern. This
is because even though the DNS traffic is
not in itself encrypted, it is cased in encryption.
If however this is not the case, a hacker
can position themselves between the two DNS
servers and change the updated information.
For example, they could have the user directed
to their fake web site rather than the original
web site. The user would not even be aware
that this is occurring. This is what hackers
want to happen in order to get usernames and
password or credit card details.
The next point to consider is when a user
performs a DNS query. This query is returned
to the user but the data in not encrypted.
Once again a hacker can send their own data
back to the client. The hacker could change
the data, they could send their own data,
or they could send a message to the client
saying the query could not be resolved and
effectively cause a denial of service attack.
So what does DNSSEC do in a nut shell? It
provides a method to check that data has not
been changed. Once the client or a server
receives DNS data, the data comes with a signature
to allow the client to check that the data
is authentic and has not been changed. This
should give you a basic idea of what DNSSEC
is. Now let's look at the new DNSSEC features
in Windows Server 2012.
The first new feature in Windows Server 2012
allows trust anchors to be seen in the DNS
manager that have been stored in Active Directory.
Trust anchors are not at new feature, but
previously you were not able to see a trust
anchor in DNS manager. So what is a trust
anchor?
Let's consider how DNS works. At the top of
the hierarchy you have the root hint server.
This is where DNS servers start the resolving
process. When DNS names are resolved they
are broken down starting from the right of
the address and moving left. Each server in
sequence knows the address of another DNS
server that knows the next DNS server to pass
the request onto until finally a DNS server
is found that can answer the query.
For this reason it makes sense that the root
hint server needs to be trusted. So the root
hint server is what you would call a trust
anchor. The root hint server contains a key
that is used to create signatures for DNS
data that is passed between servers or to
the client.
In the next step of the resolving process,
in this example, is an AU DNS server is contacted.
This DNS server supports DNSSEC so it can
use the signature of the root hint server.
Basically what is happening is the root hint
server is saying that it trusts the AU server.
The problem occurs when something like the
following happens. The next server, a DNS com
server does not support DNSSEC.
This becomes a problem because the last DNS
server, the DNS server that knows how to resolve
our DNS name, example.com.au, does support
DNSSEC. The problem is that the chain of trust,
as it is called, has been broken. There is
no way that the DNS server can validated the
data coming from the com DNS server and confirm
that it has not been tampered with.
In the real world, there are a lot of DNS
servers that do not support DNSSEC. As you
can imagine, DNS servers are located all over
the world and it is up to the administrator
in that country to configure the DNS server
to support DNSSEC. Some countries may be quicker
to adopt this technology while others are
more wary.
When a client performs a DNS query, the client
will want to confirm that data is accurate
by checking the signature on the DNS data
with root hint server. Since the chain of
trust is broken this is not possible.
To get around this a new trust Anchor is created.
If the client trusts the new trust anchor,
DNSSEC can be used from that point onwards.
On your network, you may use a domain name
that cannot be registered like a .local address.
When this is the case, you will need to create
a trust anchor for clients. The point to remember
is, with Windows Server 2012 any trust anchor
that you create, you will be able to view
it in DNS manager.
In Windows Server 2012 trust anchors are easier
to use because of the last two features.
In Windows Server 2012 the keys used in DNSSEC
and their management has improved significantly.
We already know that the keys can be stored
in Active Directory. This allows them to be
replicated with the other Active Directory
data.
With Windows Server 2012, there is support
for automated key rollover. When a key is
being used in DNSSEC, it will eventually need
to be changed. Windows Server 2012 can now
control this process meaning the administrator
does not need to worry about generating a
new key before the old key expired.
The last new feature in Windows Server 2012
is what is called The Key Master. What this
essentially is, is a primary zone that can
be configured to manage all the keys associated
with that zone. This takes a lot of the work
away from the administrator. The administrator
needs to select a server that is holding a
primary zone and configure it to be The Key
Master. Only one Key Master can exist at once,
but the administrator is free to move The
Key Master to another server if they require.
With The Key Master features, managing DNSSEC
is a lot easier than ever before.
Thanks for watching this video from ITFreeTraining.
This is just one of the free videos from the
DNS courses and the other courses available
free of charge on YouTube or our web page.
Hope you have found this video useful and
hope to see you in the next one.