Jump to content
Angus Robertson

Windows DNS Server

Recommended Posts

Has anyone looked at automating management of the Windows DNS Server, such as adding and deleting resource records? 

 

It can be done using the WMI namespace root\MicrosoftDNS, done a couple of quick tests, I just need to add and remove TXT records (for Let's Encrypt challenges), but wonder whether there is a demand for a more versatile component.

 

Angus

Share this post


Link to post

I get the impression from reading the windns.h DNS API documentation that it's mainly for querying and modifying caching DNS servers, rather than updating primary DNS servers, no functions for server setup,  zones, etc, all of which are in the DNS WMI API.  I also need this to work over a LAN, which WMI handles, albeit sluggishly.

 

Angus

Share this post


Link to post
Guest

@Angus Robertson While it is good thing to have Windows DNS API for Delphi but i have 2 cents to add, for years i advocated against enabling Windows DNS server as it full of problem, it render the server susceptible to many kind of security attacks, while it almost always will get you frustrated with its TTL, for those attacks and exploits you can just google "windows dns server exploit" and will find horrible reports from the attacker can take control of the victim server to DNS spoofing ( poisoning), so unless you will use it in closed NAT ( no internet) i highly recommend against enabling it.

 

On other hand to use it for ACME, as i do and recommend, it is the fastest and easiest way (no files and connections handling) and yet it allow you to request certificate with wildcard for subdomains, for this there is always DNS API for those major host services that lets you to add TXT record easily and remove them, e.g. with CloudFlare it is 2 HTTP GET requests and one POST/PUT and you are good to go with ACME dns challenge ( https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record ), also Godaddy and most other host DNS providers have API's for such operation, Requesting certificate from LE with DNS challenge by when the name hosted on CloudFlare takes between 10-15 second from authorization on LE to receiving the cert.

 

One last thing: DNS poisoning ( dns cache attack) is very real and way easier than anyone think it is, simply put anyone can perform it specially on NAT.

 

 

 

 

 

Share this post


Link to post
Quote

 

just google "windows dns server exploit" and will find horrible reports


 

I checked a few of those and all I have checked are fixed by Microsoft.

The recomandation is simply to get ALL updates from Microsoft as soon as they are published (Just turn on auto update. Tht's what I have always done).

Share this post


Link to post

My public DNS servers have recursion and caching disabled, they are primary/secondary DNS servers, not used for local DNS.  I believe that avoids the worst abuse, but certainly not an expert.

 

My experience of the three Let's Encrypt challenge methods is they are all similar speed, The ICS component already does DNS, it tells you what TXT records to set-up manually, I'm just making it easier. 

 

Now if someone has a Delphi component that handles the various Cloud DNS provides APIs I'd love to use it.  I'm sure it's not complicated, just time consuming to set-up accounts with various providers to test it.

 

Angus

 

Share this post


Link to post
Guest
27 minutes ago, FPiette said:

I checked a few of those and all I have checked are fixed by Microsoft.

True, but the quantity of them and the impact of many is horrifying.

28 minutes ago, FPiette said:

The recomandation is simply to get ALL updates from Microsoft as soon as they are published (Just turn on auto update. Tht's what I have always done).

True, and it is highly recommended too to keep update on, but there is another point of view, simply you can't hack or affect my cup of coffee if it is not connected to internet, so on all my servers i disable automatic updates and block all system component form reaching the internet (in and out) , my updates are manually done when i see fit, in this way i will not wait for Microsoft to detect a hack or ransomware exploit just to fix it, the way Windows is full of those security risks is too much high, those accessable Windows ports are proved to be full of danger over many years, simply the system component that is not used and not essential has to go or to be blocked.


But again this is personal point of view.

 

On side notes: resources may interest you ,

https://www.schneier.com/blog/archives/2005/02/sha1_broken.html 

and that was 2005, now have a look please on those dates when Windows WSUS switched to SHA-2:

https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus

The attack on SHA-1 was viable for years but it is already confirmed and this should be the last bullet as SHA1 should be avoided at all costs

https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html

 

40 minutes ago, Angus Robertson said:

My public DNS servers have recursion and caching disabled, they are primary/secondary DNS servers, not used for local DNS.

Not enough, let me give a scenario on how DNS server can be used to attack all of it users,

Let say this forum want to hack/attack some user visiting this web page, it can simply use a link to an URI  which is on lets say X.com then the user opened this page is visible to praxis server and praxis know for sure that the user browser will resolve that X.com ( X.com can be microsoft.com or any legit domain/site, and known site means no antivirus or firewall will complain about it), in that moment right after praxis server finished sending this webpage it start to send a DNS response from different knows DNS servers like 8.8.8.8 and 1.1.1.1, on other hand client browser asked the System to resolve or used the supplied DNS server which in most cases is on router or  system dns client service ..., in all cases some of those fake response ( which they are simply UDP packets sent using raw sockets) might hit what recvfrom on the browser or the router or in your case your DNS local server, now even with recursive caching is disabled the iterative cache is still there, no difference on how TTL is processed, as they both will be cached, unless you want to lose very noticeable time on resolving, yet even with disabling all sort of caching (like make TTL=0) still if the attacker might hit recvfrom response before the real response, then dns server is owned.

Again this is point of view, there is always risk when it comes to DNS, but if your domain name is hosted on CloudFlare then there is 0 chance that their resolver will be spoofed, here there is still a risk of dns attack on the client side performed by simply those fake responses, but in case you have Primary/secondary dns server then that risk is way higher, here the clients of such server are the most dangerous, a bad actor can request to resolve microsoft.com and from server yet poison it with different data ( eg. IP ) and wait and keep doing this all day long as they TTL is in short case is 300 second, all the client then will be redirected to that fake IP.

IMHO : it is not worth it, both i mean windows updates and hosted DNS server.

Share this post


Link to post
Guest

Took me minutes to remember one of the most dangerous exploits 

https://en.wikipedia.org/wiki/BlueKeep

Notice that it was in Windows XP , how long is that 10 years or 15 ?!!

 

I can't live without RDP , yet the port is changed form the default one and blocked access to all, except few IP's, and in some cases when the client want/will use different public wifi networks, then i give him a small tool with small server to open the port on service server side on the Firewall and automatically close it after RDP disconnect.

Share this post


Link to post

Well, again this one is fixed. Only those omitting to apply ALL updates are at risk. And by the way, this is not related to DNS which is the subject of this conversation.

 

Share this post


Link to post

I have seen DNS amplification attacks using my DNS in the past, usually from the size of the firewall logs, but then block it using the external firewall.  Generally I'm not too worried about exploits, no-one has ever successfully attacked my servers. 

 

I have however moved the DNS for a test domain to Cloudfare, so will add updating it's DNS records to the ICS sample application alongside Windows DNS,  Not sure if I also moved the web site to Cloudfare, the dashboard is very confusing and I don't really care at the moment, need to write code instead.

 

Angus

Share this post


Link to post
Guest
18 minutes ago, FPiette said:

And by the way, this is not related to DNS which is the subject of this conversation.

Yes but it has something to do with "Security is not a relative matter ", i was explaining so the fact many exploits were in DNS and of course fixed after after been found and detected been used ( in most cases), so for me it is No to compromise with something i know is can be risk.

 

The following you may not agree with but you should know and everyone should know too about it, Delphi IDE is sending some personal data over internet, exactly your IP and something else might has to do your license from Embarcadero ( if you understand what i mean) , it is sent using secured connection, now just try to change the dns from host file to 127.0.0.1 and capture the input in any web server you have, Embarcadero is not doing it right, the connection even with broken, faulty, expired, revoked, and invalid certificate will accept the connection and yet send those information.

Now all what you need to do to steal these information from any user or visitor of this site or any site, i think i gave the idea in pieces in too much obvious way, right ?

 

And yes, you may see it as far form the subject, while here i see it as relative to the subject as this exploit is belongs to DNS category, and the impact of wrong configuring DNS server.

 

It was my personal view and may be something not many people knew about and i think it is better in such cases to repeat saying it, after all the point is it might help someone to protect himself.

 

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×