DNS Protection Facts Flashcards
DNSSEC
DNS Security Extensions (DNSSEC) is designed to protect the DNS client. It verifies that a server’s response was not changed in transit and that the server sending the response is really who it claims to be. When DNSSEC is configured, the DNS server signs responses to DNS queries with a digital certificate. With the certificate, the DNS client knows:
The response came from the correct DNS server.
The response was not modified in transit.
DNSSEC is implemented on a DNS zone by:
Digitally signing the zone. This requires a key signing key and a zone signing key.
Choosing NSEC or NSEC3 for authenticated denial of existence.
Enabling the distribution of trust anchors.
Configuring a Group Policy to require DNS clients to use DNSSEC.
DNS Socket Pooling
DNS socket pool protects the DNS server. By default, a DNS servers uses port 53 for DNS queries. This port is easy to attack. DNS socket pool configures a pool of ports for the DNS to use for queries.
DNS socket pooling is enabled by default on all modern Windows Server systems. Windows Server 2022 DNS has a default pool size of 2500 ports. DNS socket pooling can be viewed and changed using either PowerShell or a command prompt.
DNS Cache Locking
DNS cache locking controls how long a cache entry is locked so that it can’t be overwritten. This helps prevent attacks that attempt to pollute information in the cache to direct traffic to a malicious site.
Cache locking is configured as a percent value. Cache entries are not overwritten within this percentage of the record’s time-to-live value.
Response Rate Limiting
Response rate limiting helps protect a DNS server from denial-of-service attacks.
Attackers attempt to overwhelm a DNS server or its clients by sending large numbers of DNS queries.
Response rate limiting stops the server from responding too frequently or limits the size of the response.
An exception list exempts DNS client queries from response rate limiting.
Response rate limiting is useful against DNS flooding attacks and DNS amplification attacks against clients.
DANE
DANE stands for DNS-based Authentication of Named Entities.
DANE works with DNSSEC to allow DNS clients to verify that domain name certificates are from the proper certification authority.
DANE prevents on-path attacks, where attackers attempt to corrupt the DNS cache to point to their own website.
DANE prevents attackers from using certificates that are issued from an improper certificate authority.
DANE is most often used with email servers to help stop spam emails that come from imposter email servers posing as legitimate email servers.
Delegated Administration