Windows2000 Dynamic DNS security considerations

Windows2000 domain name resolution is based on dynamic DNS, and the Implementation of Dynamic DNS is based on RFC 2136. In Windows 2000, Dynamic DNS is integrated with DHCP, WINS, and Active Directory (AD. There are three methods to implement DNS in Windows 2000 Domain: primary DNS integrated with the Active Directory, secondary DNS not integrated with the Active Directory, primary DNS not integrated with the Active Directory, and secondary DNS not integrated with the Active Directory. After the DNS is integrated into the Active Directory, we can use three important security features in the Windows2000 Network: security dynamic update, secure region transmission, and access control list for regions and resource records.

I. Security Updates

One of the most important security features in Dynamic DNS is Security Update. When implementing security updates, a major consideration is the ownership of records composed of DNS items. The ownership is determined by DHCP configuration and client support.

There are two types of DNS records related to the client: A record and PTR record. A record resolves the name to the address, while PTR record resolves the address to the name. An address refers to the IP address of a client. The name refers to a customer's fully qualified domain name. It should be a computer name and a network domain name.

In Windows 2000, when a client requests an IP address through DHCP, the DNS record of the client is registered. Based on the settings, the client, DHCP server, or both can update the record and PTR record of the customer. Whoever registers the record will have ownership of the record.

The following is an option to define the customer's A record and PTR record ownership in the Windows2000 network.

1. Windows2000 Local Mode

In Windows, DHCP servers and DHCP clients can register records through DNS. When the network is only composed of servers and clients of windows, this type of Windows environment is defined as "Local Mode ".

When the client is A Windows customer, the default configuration is to dynamically update its own A record when the customer registers on the network. At the same time, the DHCP server updates the customer's PTR record. Therefore, the ownership of the record belongs to the client, and the ownership of the PTR record belongs to the DHCP server.

The second possible configuration is the update of forward and reverse lookup by the DHCP server. In this case, the DHCP server has both A record and PTR record.

The third possible configuration is that the DHCP server is configured to not perform dynamic updates. In this case, the client updates the record and PTR record, and also has the ownership of the record.

2. Windows2000 hybrid mode

In a hybrid environment, DHCP clients cannot be registered under DNS. The so-called hybrid mode means that there are WindowsNT4.0 or Windows98 customers in addition to Windows2000 servers and clients.

Previous clients such as WindowsNT4.0 and Windows9x cannot be directly registered through DNS. Because only the DHCP server can register records through DNS, the only choice in A hybrid environment is to have the DHCP server register A record and PTR record. In this case, the server has the ownership of the forward and reverse query records.

3. Security Updates

In Windows, security dynamic updates are only available when the Active Directory is integrated with the DNS region. What does security dynamic update mean? In Windows, it means that the ACL of the Active Directory is used to set the permissions of users and groups to modify the DNS region and/or its resource records. To allow updates to the DNS region and/or its resource records, dynamic updates also use secure channels and authentication in addition to ACL.

Windows2000 supports security dynamic updates using the "GSS Algorithm for TSIG" (GSS-TSIG) Algorithm drafted by IETF. This algorithm uses Kerberos v5 as the priority authentication protocol and the GSS-API is defined in RFC2078.

2. Region

1. region type

In Windows 2000, you can configure the DNS region as the primary region, secondary region, or Active Directory integration.

The functions of the Primary and Secondary regions are the same as those in Unix and NT4.0 environments. In addition, the DNS database is independent from other databases such as WINS and DHCP, and replication is set independently from other Replication Services. If some servers in the network run less

For the bind version 8.1.2, the primary/secondary zone must be used, because dynamic updates are not supported in earlier versions.

If the Active Directory is installed, the DNS region can be the Active Directory integration region. This means that the DNS region database becomes a part of the active directory database. Each record is an object in the Active Directory, and each Active Directory object has its own ACL (Access Control List ).

2. Type of regional transmission or replication

DNS in Windows 2000 can support AXFR or IXFR. AXFR or all regions are transmitted, which is a copy of the database files in the entire region. IXFR or incremental zone transmission only copies changes in regional databases. If the region type is set to the primary or secondary region, you can apply these region replication methods. IXFR supports BIND 8.2.1 and later versions.

When DNS is integrated with the Active Directory, all region and resource records become objects in the Active Directory database. Active Directory replication is based on the multi-host model.

One of the advantages of the multi-host model is that there is no single point of failure. This is possible because DNS is part of the active directory database, and the active directory database is copied to all domain controllers.

The second advantage of the multi-host model is that you only need to set a replication topology. The DNS region database becomes a part of the Active Directory data, so the DNS region transmission is completed as part of the Active Directory replication.

3. Regional Transmission Security

If the DNS configuration of Windows 2000 is the primary/secondary area, encryption and compression cannot be used. To be compatible with BIND, Windows 2000 supports AXFR. Each message sends/receives one or more resource records. In versions earlier than BIND4.9.4, multiple resource records cannot be transmitted by one message. Windows 2000 supports IXFR for BIND8.2.1 and Windows for BIND8.1.2.

When the DNS configuration of Windows 2000 is integrated with the Active Directory, the replication process becomes part of the Active Directory replication, So it uses encryption and compression automatically.

Use Kerberos v5 for encryption in Windows 2000. Communication channels between controllers are automatically encrypted without administrator configuration.

When the Active Directory is updated between "bridgehead" servers, it is automatically compressed. The bridgehead server is automatically generated on the local LAN server. When the Active Directory is updated using the WAN link, the bridgehead server of each LAN will communicate with other bridgehead servers, this will greatly reduce the traffic through the WAN link. In this case, it is automatically compressed to save bandwidth.

3. Integrate the Active Directory into the DNS Region

In Windows 2000, the Active Directory is integrated with DDNS. Therefore, the first step to implement active directory security is to implement DDNS security.

1. File System

Use NTFS. Windows 2000 is NTFS v5, which allows you to set file and Folder Security, encrypt file systems, and review. NTFS v5 does not match the prefix

NTFS compatibility. Only NTFS v5 can be read from NT4.0 with Service Pack 4 or later installed.

NTFS restricts network or local access to files by setting access permissions for folders and files.

NTFS and shared permissions can be used to precisely control permissions and inherit relationships.

2. Registry

Using the Registry Editor to edit DACL is related to the Configuration unit of each registry. For details, see "Windows NT Security, Step-by-Step" published by SANS ".

3. Enterprise Administrator and Schema Administrator Group

After creating a Windows Network, restrict access to these two administrator groups. These groups appear under the root domain and have the highest permissions. According to the domain structure, management can be delegated to the domain structure, so management can be limited to a single domain.

4. Encrypted File System

NTFS in Windows provides the option to use an encrypted file system. EFS uses public key-based technology to further restrict unauthorized access to files.

5. DNS in the Active Directory

DNS installation will expand the Active Directory architecture, including the DNSUpdateProxy group. This is a very powerful group that allows creation of objects, which is insecure. When this happens, any authorized user can gain ownership of these objects.

The A record and PTR record of the client in DNS are updated in the DHCP processing process, which is described in detail. When both the client and server are windows, security dynamic updates can be installed by default. When other users need support, security dynamic updates cannot be completed, unless the DHCP server is added to the DNSUpdateProxy group and added to the DNSUpdateProxy group, the DHCP server is allowed to perform dynamic updates for earlier clients.

If the DHCP service runs on a domain controller, it is important to add a DHCP server to the DNSUpdateProxy group, which allows all users or computers to fully control the DNS records of the corresponding domain controller.

6. Ownership of resource records

DHCP servers cannot perform security dynamic updates on early clients, which is very important in the Windows2000 network. If this happens, the activity record cannot be completely updated. For example, an NT4.0 client registers a name in the DNS through the DHCP server. This name remains the same when the machine is upgraded to Windows2000. Because the DHCP server first registers the name and owns the resource ownership of the name, Windows 2000 users cannot update their own names.

7. Find WINS

As the final warning of Windows 2000, I will translate why WINS will be the most likely part of the Windows network. Why? For all non-Windows2000 customers, NetBios resolution is still required. Similarly, all programs that require NetBios will also require WINS for name resolution. WINS is directly integrated into DNS through two specific resource records: WINS and WINS-R. This performs forward and reverse record searches for WINS respectively.

Iv. Conclusion

In short, it is very important to understand the process of using DNS in Windows2000. A brief description is provided in section 1.0 "security dynamic update" and section 2.0 "area. It is also important to understand "gotchas" and "caveats" of Windows2000. Part 2 the Active Directory integration DNS area lists related projects.