Tuesday, October 30, 2012

Windows 2008 DNS features


Compare to windows 2003, Windows 2008 have more features and improvement, I will discuss the improvement related to DNS in this article, Microsoft done the improvement that really required for the IT environment, Windows 2008 DNS features are listed below

Background zone loading: If you are an administrator for an large environment you would have seen this issue, after the DNS server restart it take some time to load the DNS zones, till that time server will not respond to an DNS query from client (even server will not respond to the nslookup) you have to wait for the server to load the zones, this issue has been rectified in Windows 2008 DNS server, since zone data loaded in the background while the time of DNS server restart and DNS server respond to the client query very quickly.

IP version 6 support: The Windows 2008 DNS Server fully supports the longer addresses of the IPv6 specification.

Support for read-only domain controllers (RODCs): We able to modify the Primary DNS zone, what about the primary zone in read only domain controller, we can’t modify or update the primary zone on read only domain controller, yes Windows 2008 server provides primary read-only zones on RODCs.

Global single names: Not required to add DNS suffixes for the name resolution for the various domain names, GlobalNames zone provides single-label name resolution for large enterprise networks, if your environment doesn’t have WINS or planning on deploying IPv6-only in your environment then you Need to Deploy the GlobalNames Zone, it’s useful when using DNS name suffixes to provide single-label name resolution is not practical.

Global query block list: Clients of such protocols as the Web Proxy Auto-Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) that rely on DNS name resolution to resolve well-known host names are vulnerable to malicious users who use dynamic update to register host computers that pose as legitimate servers. The DNS Server role in Windows Server 2008 provides a global query block list that can help reduce this vulnerability.

DNS Security Extensions (DNSSEC): DNSSEC works by digitally signing these records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via achain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party.
The following DNSSEC related features are introduced in Windows Server 2008 R2:
  • The ability to sign a zone (that is, to provide the zone a digital signature)
  • The ability to host signed zones
  • New support for the DNSSEC protocol
  • New support for DNSKEY, RRSIG, NSEC, and DS resource records.
A key feature of DNSSEC is that it enables you to sign a DNS zone – which means that all the records for that zone are also signed.The DNS client can take advantage of the digital signature added to the resource records to confirm that they are valid. This is typical of what you see in other areas where you have deployed services that depend on PKI. The DNS client can validate that the response hasn’t been changed using the public/private key pair. In order to do this, the DNS client has to be configured to trust the signer of the signed zone.
The new Windows Server 2008 R2 DNSSEC support enables you to sign file-based and Active Directory integrated zones through an offline zone signing tool. I know it would have been easier to have a GUI interface for this. When configured with a trust anchor, a DNS server is able to validate DNSSEC responses received on behalf of the client. However, in order to prove that a DNS answer is correct, you need to know at least one key or DS record that is correct from sources other than the DNS. These starting points are called trust anchors.
Another change in the Windows 7 and Windows Server 2008 R2 DNS client is that it acts as a security-aware stub resolver. This means that the DNS client will let the DNS server handle the security validation tasks, but it will consume the results of the security validation efforts performed by the DNS server. The DNS clients take advantage of the NRPT to determine when they should check for validation results. After the client confirms that the response is valid, it will return the results of the DNS query to the application that triggered the initial DNS query.

DNS Cache Locking: Using the DNS Cache locking in Windows Server 2008 R2 enables you to control the ability to overwrite information contained in the DNS cache. If you turned on the DNS cache locking then DNS server will not allow cached records to be overwritten for the duration of the time to live (TTL) value. This helps protect your DNS server from cache poisoning. 

No comments:

Post a Comment