DNS Security – DNSSEC
DNSKEY This record stores the public key that is used to crytographically validate signed DNS records. In public key infrastructure (PKI), the DNS server signs the records with its private key, and validates the records’ integrity by using its corresponding public key. Note that in DNSSEC it’s the DNS server that performs the record validation on behalf of DNS clients.
RRSIG This record is the digital signature for a particular DNS record. If a single bit is changed in a resource record (which would occur in a cache poisoning or spoofing attack), then the validation would break and resolution would fail for that request.
NSEC3 This record supports authenticated denial of existence. In other words, the DNS server can authoritatively claim that a given resource record does NOT exist.
Resolve-DnsName -Name test.secops.test -Type A –DnssecOk
Name Resolution Policy Table (NRPT)
We can use Group Policy to establish rules that affected nodes use when performing DNS queries. For example, we can force all domain nodes to request DNSSEC record validation whenever they reach one of your infrastructure DNS servers.
Configure NRPT rules in the following Group Policy path:
Computer Configuration\Policies\Windows Settings\Name Resolution Policy
Under Create Rules, we can specify which DNS zone to scope for DNSSEC. Select Enable DNSSEC In This Rule to require that DNS clients check that name and address data has been validated by the server.
Optionally, select Use IPsec In Communication Between The DNS Client And The DNS Server. With the No Encryption (Integrity Only) option, we can layer IPSec into our DNS traffic without incurring the overhead penalty of data encryption.