Time
10 hours 28 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson focuses on Domain Naming System (DNS) security. The Domain Naming System is probably the most important service running on a network at any given time. Domain naming systems keeps track of all record within a domain and where every server is and what service it provides. DNS knows everything there is to know about a network. DNS can be attacked through the cache system and get become poisoned by sending queries to rogue servers. To create DNS security, it is important to know about the Transaction Signatures (TSIGS) which secure zone transfer via secret keys to ensure each endpoint is authentic.

Video Transcription

00:04
now is removing on through additional networking concepts and enterprise contact concepts. We've got to talk about D. N s domain naming system or service. This is probably the single most important service running on any network at any given time,
00:23
with the possible exception of active directories. L'd APP service,
00:27
Um, especially in a window's environment. But UNIX to so many things are based on D. N s. You know, in its most simple terms, D N s takes ah user friendly name and maps it to an I p address. Sure, that's absolutely true. But that really is kind of the least of which Dean s does.
00:46
D n s keeps track of
00:48
all records within a particular name space. So if you just want to think about it was within your domain. But it also keeps track of where every server is. Any server providing a specific service like the main controller, like a mail server. Those
01:04
when your client needs to find a domain controller. It asks D and s
01:10
same idea with mail servers, global catalog servers, key distribution servers. So D N s knows all about your network. It knows your I p. Addressing scheme. It knows you're naming convention. It knows where your physical locations are. D N s is extremely knowledgeable.
01:27
And most of the time
01:30
when a client has a query, it sends that query to D. N s. I'm looking for Global Catalog Server. I asked Ian s if I want to connect the server one, I ask D. N s if I want to get out to the Internet, I ask D. N s So D. N s for me is an attacker
01:47
is a very, very appealing and attractive target.
01:51
Because if I can contract, if I can compromise your dina server, I'll control where you go, whether it's in house, uh, we're out on the Internet,
02:00
Um, and there many different ways to commandeer a. D. N s server. You know, we can talk about setting up a rogue infrastructure, and I think I may have mentioned this in an earlier module, but a rogue infrastructure might be for me to bring a d. H. C P server on your network
02:17
doesn't take much for me to do. All I need's a live port on the wall, uh, or access to your wireless network, and I'll set up a server that has the D H. C P service installed. And I'll just wait for a client to query me
02:32
the thing to understand about the HCPs everybody kind of associates, that with the signing I p addresses and that's true. But many clients and many corporate environments learn who their D. N s server is by asking d h c p.
02:47
So if I have a rogue th e p server, I'll simply refer you to my rogue D. N s server. And again, if I control D. N s, I control the traffic on your network.
02:58
Okay, Another way that we can attack D. N S or the integrity of the D. N s records is we can compromise the Dina server's cache.
03:10
And when we do that, an attack on cash. We often refer to that as poisoning.
03:15
Now, cash exists with many different protocols. Many different service is, but it's always for the same purpose and the same ideas always true cash. It's where I put things that I frequently need so that I can access them quicker and easier.
03:30
So, for instance, with d and s,
03:34
if you've ever configured D and s to get name resolution to a server out on the Web. Often there's a lot of back and forth. You know, I asked my local D. N s server, my local d N A server might afford that request to the Internet service provider who might afford it to the root who might afford it dot com.
03:52
There often is a lot of back and forth with D. N s.
03:54
So rather than having to make that back in fourth query every single time, what happens is Deanna Server's cache. What they've learned. Once I learned how to get to sales dot Microsoft dot com, I'm gonna store that my cache memory. So the next time you ask, I can say up. Here's the address rather than having to go out and learn it again.
04:15
So cash is very beneficial from a performance in the speed
04:18
ah standpoint. But also for a CE forest, use of resource is go,
04:23
but the downside of that is any time I'm holding onto information, there's the possibility that that information could be manipulated. One of the ways that D. N s gets manipulated is through unsolicited replies, unsolicited replies,
04:41
and many operating systems block those.
04:44
But for instance, if I queria D. N s server and I say, can you tell me how to get to mail dot yahoo dot com and that d n a server comes back with a reply. I expect that reply. It's in response to a query absent out, so there's nothing special about that.
05:00
However, I'm just here minding my own business, and a server contacts me and says, Hey, add this information to your cash mail dot yahoo dot com is 10 111
05:13
Well, that's an unsolicited reply, and unsolicited replies can't be trusted. And often that's the way that that cash gets poisoned.
05:21
Another way that cash gets for a poisoned is I could be sending my queries to rogue servers. So, for instance, rather than asking my legitimate Internet service providers, Deanna Server,
05:35
I could be redirected to someone else's robe de ns server. So all the information I would learn would be from a rogue source,
05:43
other concerns with D and S zone transfers.
05:47
You know, we talked about availability and how the key to availability is redundancy on a network. So rarely am I gonna be on the network with a single D. N s server were usually gonna have multiple dina servers. And the way Dina servers communicate with each other the way they catch each other up on changes to the network and
06:08
the existing network configuration
06:10
is they transfer zone information.
06:12
So server a May query server be and say what's new? You know? What do you know?
06:17
Server be maybe queried by server, see, and so on.
06:23
So
06:24
if these own transfers, first of all, I don't want to send my zone information to a server that isn't legitimate, you know, I don't want to share my d. N s own information with just anybody that asks.
06:35
But also, I don't wanna add zone information from an untrusted source.
06:42
Okay, so we've got a lot of issues to think about with D and s. And you know, this is one of those things that could be a very deep topic, but we'll try to keep it on track for the exam. So one of the more recent security features with D. N s is a set of security extensions called D. N s sec.
07:00
There's some new records that would be created
07:02
in order to minimize the possibility of cash poisoning okay and corrupt its own transfers. So there are a couple of records that are most essential. These aren't the only ones, but these were the ones that really wants you to know.
07:17
Okay, So first of all, the security extension that's that has the biggest input here, or the biggest
07:24
benefit to us is a set of extensions called the T sig extensions, and it stands for transaction signatures. The whole purpose here is to make sure that I'm able to authenticate on both ends each in point of the zone transfer.
07:42
So when I connect to server A, I need some assurance that that really is server A. That that's not someone that stepped in as far as a man in the middle with that goes Impersonating another server, but also before Server A would transfer its own to me. They need assurance of my legitimacy as a d n s server. Okay,
08:01
so t sacre Those extensions that allow
08:05
servers is part of his own transfer to authenticate each other. And part of the way that happens is through the use of public keys and digital signing and the public keys. The worm is probably most testable as far as a new resource record that's added, is this D N A s key.
08:20
And this D. N A s key record is what allows the distribution off public keys. And what you may want to do is go back and review the cryptography section that talks about how we use public and private keys to get authenticity. But essentially, if I have your public key,
08:39
I can encrypt something with your public key, and only your private key would be able to decrypt it.
08:45
So even if you're a robe de NS server, I'll be encrypting it. Ah, what I'm sending you with the legitimate Vienna servers Public key.
08:54
So I might still send it to you. But you can't do anything with it because you won't have the private key of the D N a server. So we get encryption there, but we also get a degree of authenticity as well. There's also a resource record signatures which essentially is gonna be used to digitally sign
09:13
the D. N s record setting again digital signatures going back to crypto
09:18
guarantee the integrity and the authenticity of those records. So these air some important new additions to DNF. It's a feature that has to be installed, but ultimately our goal is to provide a higher degree of authenticity. Ah, higher degree of assurance that our Dina servers are legitimate and they're not robe servers.

Up Next

CompTIA CASP

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor