Server Series 13: small to big: Exploring the Security Application of DNS in Enterprise Domain Environments

Small to big: Exploring the Security Application of DNS in Enterprise Domain Environments

 

DNS applications within an enterprise are almost ubiquitous. As long as we don't want to remember the pure IP address information

You need to use DNS to provide us with simple name memory, such as ing an IP Address: 192.168.10.1

For one, this becomes a good memory, and for the deployment of application systems, the existence of DNS is necessary, because

The SRV record is used, which is a service record, such as the automatic login of exchange and the automatic discovery of lync.

In fact, SRV is used to facilitate user login. With this function, you can directly enter your account and password, which is automatically accessed by the client.

Dns srv is used to search for available login servers. Transparent user login process, users only need to remember their own account, that is

Yes. These are all done through DNS, so here we will talk about how DNS works together in Active Directory.

.

I. Environment Information

1.1 device information

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203314524-0.jpg "border =" 0 "/>

Ii. Case Process

2.1 initial information

By default, DNS and AD in the domain are integrated and installed.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/020331K43-1.jpg "border =" 0 "/>

 

There are a large number of internal devices in the enterprise. It is difficult to manually allocate IP addresses. How can this problem be solved?

DHCP, which is an effective way to save time and effort, brings us a topic: What is the relationship between DHCP and DNS?

To put it simply, it is divided into the following parts:

2.2 Relationship Between DHCP and RTP records

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203315N4-2.jpg "border =" 0 "/>

 

 

2.3 relationship between RTP and A record

The PTR record is created at the same time as the record.

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203312N5-3.jpg "border =" 0 "/>

Of course, to register your own IP address on the DNS during DHCP, you must enable "NOTE" in the TCP/IP protocol attribute.

Set the connection address in the DNS check box.

2.4 dynamic update process

Dynamic update

Under what circumstances can dynamic updates be triggered?

1. IP address change

2. ipconfig/renew or ipconfig/release for IP decision making and IP release operations)

3. Manual ipconfig and registerdns

4. Disable the computer

5. When the pc is added to the new domain during initialization

The following figure shows how the client generates a record with DNS when requesting DHCP.

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/020331H33-4.png "border =" 0 "/>

 

 

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203313162-5.jpg "border =" 0 "/>

2.5 Case Description

The company has a PC. After the previous employee leaves, the system needs to be reset and delivered to the new employee. The previous computer name is as follows:

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203313631-6.jpg "border =" 0 "/>

Update PC name now

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203314Y6-7.jpg "border =" 0 "/>

Restart After update

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/020331H10-8.jpg "border =" 0 "/>

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203312P4-9.jpg "border =" 0 "/>

After the system is restarted, DNS automatically updates the record

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203311315-10.jpg "border =" 0 "/>

 

2.6 enhanced DNS Security

The above is A typical case of a dns application. a pc obtains IP addresses from DHCP and generates A record and PTR record. When the registered PC host name is updated or the IP address is updated, the DNS will be triggered to update the corresponding entries.

But over time, DNS will have more and more records. What should I do?

Here we need to control record updates.

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/02033145F-11.jpg "border =" 0 "/>

On the entry attributes page of host A record, you can see two important attributes:

Record timestamp: the original time update time generated by record)

Survival time: aging time of items

 

Configure the aging attribute of the DNS server

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/02033131c-12.jpg "border =" 0 "/>

 

Enable clear expired resource records

Refresh time

Last deletion time

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203314225-13.jpg "border =" 0 "/>

Set aging/cleaning for all regions: This option can be used to process DNS in multiple regions in the domain

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0203311644-14.jpg "border =" 0 "/>

Clear outdated resource records: Clear expired data records, including A Records and SRV records

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/020331I18-15.jpg "border =" 0 "/>

OK. Here we will talk about how to use DNS Resources in the domain and how to manage DNS records. There are also some security operations, such as security regions and DNS secure replication, we can see that DNS is still very important in the domain environment.

This article is from the "server & security" blog. For more information, contact the author!