[ActiveDir] DNS Forwarding
Is it possible within MSFT DNS to only accept DNS forwards from internal requests? Please consider the fact that a domain may not always be configured to look at internal DNS servers only. Also, it is not required for a domain to be used when DNS services are required. DNS may be configured on a machine that is for either internal or external use or both. If this is possible, this will help with DNS Smurfing attacks that could affect a network. If you havent read it already, you may find the information in the URL http://www.measurement-factory.com/press/20051024.html useful. This article brings me to my question about preventing external DNS forwards. Thanks, Edwin
Re: [ActiveDir] DNS Forwarding
Why not use root hints instead? cough in our little SBS wizard... at the screen where you are prompted to enter dns forwarders, you hit 'cancel' and it sets up root hints http://www.sbslinks.com/images/time.h71.gif If you are concerned about dns forwarding... which you should be you don't even want to forward from internal requests. Us little SBS boxes are wizard recommended to DNS forwarders.. BUT... if we forward to an upstream BIND 5 or 7... even though we look inward for our DNS and do not expose our port 53, we are reliant on the kindness and patching of those BIND servers. Microsoft DNS servers since Windows 2003 sp3 [if I remember right] have been prevented from poisoning 'to' other folks. But if we rely [forward] on a poisoned BIND DNS server, we can get nailed. I don't know if I ever got back to this but one of the Networking guys walked me through setting up this DNS: http://www.sbslinks.com/DNS.htm Edwin wrote: Is it possible within MSFT DNS to only accept DNS forwards from internal requests? Please consider the fact that a domain may not always be configured to look at internal DNS servers only. Also, it is not required for a domain to be used when DNS services are required. DNS may be configured on a machine that is for either internal or external use or both. If this is possible, this will help with “DNS Smurfing” attacks that could affect a network. If you haven’t read it already, you may find the information in the URL http://www.measurement-factory.com/press/20051024.html useful. This article brings me to my question about preventing external DNS forwards. Thanks, Edwin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS Forwarding
That's Windows 2000 sp3 btw not Windows 2003 sp3 :-) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Why not use root hints instead? cough in our little SBS wizard... at the screen where you are prompted to enter dns forwarders, you hit 'cancel' and it sets up root hints http://www.sbslinks.com/images/time.h71.gif If you are concerned about dns forwarding... which you should be you don't even want to forward from internal requests. Us little SBS boxes are wizard recommended to DNS forwarders.. BUT... if we forward to an upstream BIND 5 or 7... even though we look inward for our DNS and do not expose our port 53, we are reliant on the kindness and patching of those BIND servers. Microsoft DNS servers since Windows 2003 sp3 [if I remember right] have been prevented from poisoning 'to' other folks. But if we rely [forward] on a poisoned BIND DNS server, we can get nailed. I don't know if I ever got back to this but one of the Networking guys walked me through setting up this DNS: http://www.sbslinks.com/DNS.htm Edwin wrote: Is it possible within MSFT DNS to only accept DNS forwards from internal requests? Please consider the fact that a domain may not always be configured to look at internal DNS servers only. Also, it is not required for a domain to be used when DNS services are required. DNS may be configured on a machine that is for either internal or external use or both. If this is possible, this will help with “DNS Smurfing” attacks that could affect a network. If you haven’t read it already, you may find the information in the URL http://www.measurement-factory.com/press/20051024.html useful. This article brings me to my question about preventing external DNS forwards. Thanks, Edwin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Forwarding
Forward recursion. You shouldn't have to allow forward recursions from outside your internal network(s) to foriegn domains. If someone has an answer for this I would be very much pleased. Its also a difficult way to do DNS poisoning. Difficult but not impossible. Brent Eads Employee Technology Solutions, Inc. The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Edwin [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/27/2005 10:39 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] DNS Forwarding Lets say that a DNS packet is sent across the network to a DNS server and is x in size. Everything works as it should be and all is great. But someone wants to have fun and then send out a DNS request that is xxx ore greater in packet size to a DNS Server. The packets are small enough not to come across to the DNS servers as a valid request. DNS does not know how to resolve it so it bounces the request to a Root Server or other configured DNS servers. The request never gets resolved because the packet is not correct. The end result is a DDOS on the network. Removing forwarding is not an option in MSFT DNS (as far as I can tell). The *nix servers do not have this problem. I think the confusion is because I mentioned DNS Smurfing which is of concern without putting emphasis on DDOS. The internal network would still need to resolve external non authoritative requests. Thanks, Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 27, 2005 10:35 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Forwarding Why not use root hints instead? cough in our little SBS wizard... at the screen where you are prompted to enter dns forwarders, you hit 'cancel' and it sets up root hints http://www.sbslinks.com/images/time.h71.gif If you are concerned about dns forwarding... which you should be you don't even want to forward from internal requests. Us little SBS boxes are wizard recommended to DNS forwarders.. BUT... if we forward to an upstream BIND 5 or 7... even though we look inward for our DNS and do not expose our port 53, we are reliant on the kindness and patching of those BIND servers. Microsoft DNS servers since Windows 2003 sp3 [if I remember right] have been prevented from poisoning 'to' other folks. But if we rely [forward] on a poisoned BIND DNS server, we can get nailed. I don't know if I ever got back to this but one of the Networking guys walked me through setting up this DNS: http://www.sbslinks.com/DNS.htm Edwin wrote: Is it possible within MSFT DNS to only accept DNS forwards from internal requests? Please consider the fact that a domain may not always be configured to look at internal DNS servers only. Also, it is not required for a domain to be used when DNS services are required. DNS may be configured on a machine that is for either internal or external use or both. If this is possible, this will help with DNS Smurfing attacks that could affect a network. If you haven't read it already, you may find the information in the URL http://www.measurement-factory.com/press/20051024.html useful. This article brings me to my question about preventing external DNS forwards. Thanks, Edwin List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Message scanned by TrendMicro Message scanned by TrendMicro
Re: [ActiveDir] DNS Forwarding
I use root hints here and at home just fine as my DNS resolution scheme and have removed DNS forwarding for external requests. Removing DNS forwarders just means that it takes a smidge longer to resolve external requests. I look inward to the DC for my DNS, it then uses root hints. There's two stages going on in my network. Edwin wrote: Lets say that a DNS packet is sent across the network to a DNS server and is x in size. Everything works as it should be and all is great. But someone wants to have fun and then send out a DNS request that is xxx ore greater in packet size to a DNS Server. The packets are small enough not to come across to the DNS servers as a valid request. DNS does not know how to resolve it so it bounces the request to a Root Server or other configured DNS servers. The request never gets resolved because the packet is not correct. The end result is a DDOS on the network. Removing forwarding is not an option in MSFT DNS (as far as I can tell). The *nix servers do not have this problem. I think the confusion is because I mentioned DNS Smurfing which is of concern without putting emphasis on DDOS. The internal network would still need to resolve external non authoritative requests. Thanks, Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 27, 2005 10:35 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Forwarding Why not use root hints instead? cough in our little SBS wizard... at the screen where you are prompted to enter dns forwarders, you hit 'cancel' and it sets up root hints http://www.sbslinks.com/images/time.h71.gif If you are concerned about dns forwarding... which you should be you don't even want to forward from internal requests. Us little SBS boxes are wizard recommended to DNS forwarders.. BUT... if we forward to an upstream BIND 5 or 7... even though we look inward for our DNS and do not expose our port 53, we are reliant on the kindness and patching of those BIND servers. Microsoft DNS servers since Windows 2003 sp3 [if I remember right] have been prevented from poisoning 'to' other folks. But if we rely [forward] on a poisoned BIND DNS server, we can get nailed. I don't know if I ever got back to this but one of the Networking guys walked me through setting up this DNS: http://www.sbslinks.com/DNS.htm Edwin wrote: Is it possible within MSFT DNS to only accept DNS forwards from internal requests? Please consider the fact that a domain may not always be configured to look at internal DNS servers only. Also, it is not required for a domain to be used when DNS services are required. DNS may be configured on a machine that is for either internal or external use or both. If this is possible, this will help with DNS Smurfing attacks that could affect a network. If you haven't read it already, you may find the information in the URL http://www.measurement-factory.com/press/20051024.html useful. This article brings me to my question about preventing external DNS forwards. Thanks, Edwin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Forwarding
I am having a little difficulty following the question here. Could you elaborate more on The packets are small enough not to come across to the DNS servers as a valid request? Packet too big, I can understand. Too small? This: Removing forwarding is not an option in MSFT DNS (as far as I can tell). is incorrect, too. Why do you think you can't remove forwarding? It's simple enough to do. You can indeed tell MS DNS to not forward at all and go chase the info down on its own - as long as the DNS server can reach outside If you could rephrase your question, maybe we can answer it directly. What exactly are you trying to do, and what problem are you running into exactly? Would be better if you don't make it a commentary. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Edwin Sent: Thu 10/27/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Forwarding Lets say that a DNS packet is sent across the network to a DNS server and is x in size. Everything works as it should be and all is great. But someone wants to have fun and then send out a DNS request that is xxx ore greater in packet size to a DNS Server. The packets are small enough not to come across to the DNS servers as a valid request. DNS does not know how to resolve it so it bounces the request to a Root Server or other configured DNS servers. The request never gets resolved because the packet is not correct. The end result is a DDOS on the network. Removing forwarding is not an option in MSFT DNS (as far as I can tell). The *nix servers do not have this problem. I think the confusion is because I mentioned DNS Smurfing which is of concern without putting emphasis on DDOS. The internal network would still need to resolve external non authoritative requests. Thanks, Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 27, 2005 10:35 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Forwarding Why not use root hints instead? cough in our little SBS wizard... at the screen where you are prompted to enter dns forwarders, you hit 'cancel' and it sets up root hints http://www.sbslinks.com/images/time.h71.gif If you are concerned about dns forwarding... which you should be you don't even want to forward from internal requests. Us little SBS boxes are wizard recommended to DNS forwarders.. BUT... if we forward to an upstream BIND 5 or 7... even though we look inward for our DNS and do not expose our port 53, we are reliant on the kindness and patching of those BIND servers. Microsoft DNS servers since Windows 2003 sp3 [if I remember right] have been prevented from poisoning 'to' other folks. But if we rely [forward] on a poisoned BIND DNS server, we can get nailed. I don't know if I ever got back to this but one of the Networking guys walked me through setting up this DNS: http://www.sbslinks.com/DNS.htm Edwin wrote: Is it possible within MSFT DNS to only accept DNS forwards from internal requests? Please consider the fact that a domain may not always be configured to look at internal DNS servers only. Also, it is not required for a domain to be used when DNS services are required. DNS may be configured on a machine that is for either internal or external use or both. If this is possible, this will help with DNS Smurfing attacks that could affect a network. If you haven't read it already, you may find the information in the URL http://www.measurement-factory.com/press/20051024.html useful. This article brings me to my question about preventing external DNS forwards. Thanks, Edwin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
