windows server-2016-webinar-160520105741

Windows Server 2016what is new in DNS (and IPv6 and DHCP)

1

© Men & Mice http://menandmice.com

Windows Server 2016

DNS Policies

Application Load-Distribution with DNS

IPv6 Root-Hints

DANE-Records Support

Support for Unknown DNS Records

Response-Rate-Limiting

Other new Features in Windows Server 2016

2

the features discussed here are based on the Technical Preview 5 (April 2016)


DNS PoliciesDNS policies give fine control about how DNS queries should be answered by a DNS server

• similar, but more powerful, than BIND 9 views

• Use-cases • access control for DNS resolvers (prevent open resolver)

• DNS based load-distribution

• blackholing malicious clients

• Filter based on DNS domains or Query-Type

• Geo-Location-Aware DNS answers

• Traffic-Engineering based on time-of-day

• "Split-Brain" DNS configurations (CAUTION!)

3


DNS Policies

Every DNS zone can have one or more "ZoneScopes"

• each ZoneScope can contain different DNS data (e.g. different IP-Addresses for the same name)

• the DNS Policy defines, which ZoneScope is used when a DNS query reaches the DNS server

4


DNS Policy criteria

5

Client Subnet Source address of the query

Transport Protocol either UDP or TCP

Internet Protocol either IPv4 or IPv6

Server Interface IP addresson which interface the query

comes in

domain name an FQDN (wildcards possible)

Query Typethe requested DNS record type

(A/AAAA/MX/SRV etc)

Time of Day Time when the query is received


DNS Policies

DNS Policy criteria can be combined with boolean expressions ("AND", "OR", "NOT")

Powerful DNS policies are possible …

… that should be used carefully

6


DNS Policies Demo 1

7

restricting DNS recursion to subnets


DNS Policies Demo 1Get-DnsServerRecursionScope -Name .Set-DnsServerRecursionScope -Name . -EnableRecursion $FalseAdd-DnsServerRecursionScope -Name "Clients" -EnableRecursion $True

Add-DnsServerClientSubnet -Name "MyNetwork" `

-IPv4Subnet "172.22.1.0/24"

!

Add-DnsServerQueryResolutionPolicy -Name "ResolverPolicy" ̀ -Action ALLOW -ApplyOnRecursion -RecursionScope "Clients" ̀ -ClientSubnet "EQ,MyNetwork"

8


DNS Policies Demo 2

9

Application load distribution using DNS


DNS Policies Demo 2Add-DnsServerZoneScope -ZoneName example.com -Name "scope1"Add-DnsServerZoneScope -ZoneName example.com -Name "scope2"Get-DnsServerZoneScope -ZoneName example.com

!Add-DnsServerResourceRecord -A -Name www -ZoneName example.com -IPv4Address 192.0.2.10 ̀ -ZoneScope "scope1"Add-DnsServerResourceRecord -A -Name www -ZoneName example.com -IPv4Address 192.0.2.20 ̀ -ZoneScope "scope2"

Add-DnsServerQueryResolutionPolicy -Name "Scope1LDPolicy" -ZoneName example.com ̀ -ZoneScope "scope1,4;scope,2" -Action ALLOW -ServerInterfaceIP "EQ,172.22.1.150"

!Get-DnsServerQueryResolutionPolicy -ZoneName example.com

10


IPv6 root hints

Windows Server 2016 now comes with IPv6 root-hints preconfigured

• root hints are required for every DNS server to find the start of all DNS resolution

• Windows Server up to Windows 2012R2 only contain the IPv4 root-hints for the Internet (however it was possible to add the IPv6 root-hints manually)

• This change makes it possible to run the Windows DNS server in an "IPv6-Only" network

11


DANE TLSA Record support

Windows Server 2016 adds support for the TLSA Resource Record type

• TLSA is required for DANE (DNS Authenticated Named Entities)

• "pinning" of TLS/SSL certificates via DNSSEC secured DNS

• see our previous webinar "DNSSEC & DANE – E-Mail security reloaded" https://www.menandmice.com/resources/educational-resources/webinars/dnssec-and-dane-e-mail-security-reloaded/

12


Demo: TLSA record

13


Demo: TLSA RecordAdd-DnsServerResourceRecord -Name _25._tcp `-ZoneName example.com -TLSA -CertificateUsage DomainIssuedCertificate `-Selector SubjectPublicKeyInfo -MatchingType Sha256Hash `-CertificateAssociationData 831B809F32A1A9E8C52A5167A35A979F0719B89D08E9A3302264F99D

14


Support for "Unknown Resource Records"

With new protocols, new DNS record types are added to DNS

•URI

• SMIMEA and OPENPGPKEY

• TA and TALINK

• …

RFC 3597 "Handling of Unknown DNS Resource Record (RR) Types" defines a way to provision a DNS server with resource records unknown to the server software

15


Support for "Unknown Resource Records"

the DNS server in Windows 2016 now supports these unknown resource records

• enables DNS admins to support new protocols which were not published at the release time of windows server

• the record data is given in hexadecimal notation

• the BIND 9 utility "named-rrchecker" can be used to convert the data part of an DNS RR into the hexadecimal format

Example: definition of an IPv4 Address "A"-Record: Add-DnsServerResourceRecord -Name www -ZoneName example.com -Type 1 -RecordData "0A000001"

16


Demo: Unknown RRs

17


Demo: Unknown RRs

The Uniform Resource Identifier (URI) DNS Resource Record:

https://tools.ietf.org/html/rfc7553

!

> echo 'IN URI 10 1 "http://www.example.com/path"' | named-rrchecker -u CLASS1 TYPE256 \# 31 000a0001687474703a2f2f7777772e6578616d706c652e636f6d2f70617468

!

PowerShell> Add-DnsServerResourceRecord -Name _http._tcp -ZoneName example.com ̀ -Type 256 -RecordData "000a0001687474703a2f2f7777772e6578616d706c652e636f6d2f70617468"

18


Response Rate Limiting

DNS responses from DNS servers in the Internet (Authoritative or DNS resolver) can be mis-used for denial of service attacks

• A problem for a long time, but has been especially popular with attackers in the last five years

• For additional coverage on this topic, watch our webinar "The dangers of DNS reflection attacks" https://www.menandmice.com/resources/educational-resources/webinars/the-dangers-of-dns-reflection-attacks/

19


What is the problem

20

DNS is UDP "stateless" communication

source IP addresses can be spoofed

some DNS Server in the Internet

Source IP Address

"spoofed"

Answer is delivered to the

owner of the "spoofed" IP

Address


What is the problem

21

There are many many DNS servers to be found in the Internet


One Solution: Response Rate Limiting (RRL)

• RRL was developed by Vernon Schryver and Paul Vixie and implemented in BIND 9, NSD, Knot and PowerDNS. It is now also available in Windows Server 2016.

• as all DNS queries should go through a caching server

• identical queries should not be seen from the same source inside the TTL (Time to Live)

• if the DNS server sees (many) recurring queries within the TTL, it is likely an attack

22



• response rate limiting counts the number of identical responses sent to a given network

• will throttle outgoing responses if too much identical responses are sent

• allows legit clients in the victims network to still resolve DNS data

23



• in case an attack is detected, (almost) empty answers are sent with "TC" flag set

• "TC" flag = answer truncated, retry over TCP

• real caching DNS server will repeat the query over TCP (slower, but harder to spoof)

24



•RRL enabled on an authoritative server

25


Demo: RRL

26


Miscellaneous newsDHCP: Network Access Protection (NAP) has been removed from DHCPv4 in Windows Server 2016

Containers with Docker: lightweight separation of Applications on a single Windows Server 2016 instance (can be used to separate a DNS or DHCP server)

Nano-Server: minimal Windows Server 2016 image without GUI. Can be used to create a lightweight DNS-Server deployment

Software Defined Networking (SDN) and Layer-4 Load-Balancer: load-balance DNS server (for example DNS resolver)

27


Release Dates

Windows Server 2016 will be released in Q3 2016

Men & Mice Suite 7.3 (September 2016) will support Windows Server 2016

Many of the new features will be supported in the Men & Mice GUI and Web-UI

28


Upcoming Webinar

June 9th, 2016 - Yeti-DNS

!

Yet-DNS - an international research project on the DNS root-server system

Interview with Shane Kerr of BII

How-To participate in Yeti-DNS with a DNS resolver

29


Thank you! !

Questions? Comments?

30

windows server-2016-webinar-160520105741

Education