[network security]Configure enterprise security using DNSSEC

Takahiro Oda
6 min readDec 29, 2021

--

overview

DNSSEC is a DNS security function that authenticates traffic to domain name lookups. It does not give any privacy protections for lookups but stops attackers from modifying or poisoning the response to DNS requests.

Three important things are

1. The DNS zone for the domain must have DNSSEC records for public keys (DNSKEY), signatures (RRSIG), and non-existence (NSEC) to authenticate the zone’s contents.

2. The top-level domain (TLD) registry must have a DS record that authenticates a DNSKEY record in the zone.

3.DNS resolver that validates signatures for DNSSEC signed domains

Choose from server manager to DNS.

Choose forward lookup zones and new zone

Verify secure.CAST.com is shown

Add the DNS records

Add the new host record

In the System Properties dialog box, under the Remote tab, check to Allow remote connections to this computer and uncheck the Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended).

Server manager > local server > system properties > change

Restart the computer

Server manager > DNS > properties

Click edit to set the IP address

Enter domain
Restart computer

Type the following command and press Enter

resolve-DNS name DC.secure.CAST.com -server DNS-Server -dnssecok

Note: The dnssecok option in the command above tells the DNS server that the client understands DNSSEC and can send these additional records. Since the zone is not yet signed, no signature (RRSIG) records are displayed in the response.

Type the following command and press Enter.

mstsc /v:DC.secure.CAST.com

We need to sign the secure.CAST.com zone and distribute a trust anchor. Trust anchor distribution is manual for DNS servers not running on domain controllers, such as DNS-Server. Automatic trust anchor distribution can be enabled for Active Directory-integrated DNS servers such as Server-05.

Two DNSKEY trust points are displayed, one for the active key and one for the standby key.

Switch to Client-02 machine, click Windows PowerShell and type the following command:

resolve-DNS name -name   secure.CAST.com.trustanchors -type dnskey -server DNS-Server

Switch to DNS-Server machine (**Server-04**), in an Administrator Windows PowerShell, type the following command and press Enter:

get-dnsservertrustanchor secure.CAST.com
  • Switch to the Server-05 machine and open the DNS Manager. In the DNS Manager console tree, navigate to forwarding Lookup Zones | secure.CAST.com.
  • Right-click secure.CAST.com and click Refresh. Ensure that trust anchors for secure.CAST.com are present. This process may take some time.

Right-click secure.CAST.com, point to DNSSEC and then click Properties

At the Windows PowerShell prompt, type the following command:

resolve-DNS name DC.secure.CAST.com   -server DNS-Server -dnssecok

To verify that DNSSEC validation is not currently required, type the following command

get-dnsclientnrptpolicy

There should not be any output from this command since we have not required the Validation. An example of this is shown in the screenshot.

Navigate to Computer Configuration | Policies | Windows Settings | Name Resolution Policy.

In the details pane, under Create Rules and To which part of the namespace does this rule apply, choose Suffix from the drop-down list and type secure.CAST.com next to Suffix.

On the DNSSEC tab, select the Enable DNSSEC in this rule checkbox and then, under Validation, like the R**equire DNS clients to check that name and address data has been validated by the DNS server** checkbox. In the bottom right corner, click Create.

Verify that a rule for secure.CAST.com is added under Name Resolution Policy Table at the bottom of the same page. Click Apply, and then close the Group Policy Management Editor.

--

--