In this lecture were going to demonstrate several security techniques that can be implemented in Windows server 2016.

DANE (DNS Based Authentication of Named Entities) 

• The first technique is DANE.  Basically, DANE tells a client who to expect a Certificate from. That client or server will only accept a certificate from a designated source. We’ll demonstrate how DANE works in a minute.
• First, let’s clear up some terminology. DANE helps to prevent MIMA

What is a Man-in-the-middle attack? A mitm attack happens when communication between two systems is intercepted by an outside entity.

• What is a TLSA record? TLSA stands for (Transport Layer Security Authentication)

This record contains the Port number that the TLS server communicates on

The Server Host Name of the TLS server

And the Port number that the TLS server listens on.

• How does DANE work?

Client

Client requests the IP address of google.com from sa.com sa.com responds by informing the client to expect a certificate from https://www.ca.com 

At that point the DNS server sends 8.8.8.8 the IP address for Google.com to the client.

A Typical example of a man-in-the-middle attack Client requests a record 

sa.com responds by informing the client to expect a cert from https://www.ca.com Attacker attempts to get client or the server to accept cert from another CA called https://www.carip.com

In this case the server refuses the certificate and flags it as an invalid certificate. The MITM attack fails.  

DNS Cache Locking  

DNS Cache Locking is one of the methods that protects from DNS cache poisoning.

So, what is DNS Cache Poisoning? 

• It is the act of placing false information in a DNS Servers cache. 
• DNS cache locking uses the Time to Live (amount of time a record stays in cache)
• By default, TTL set to 24 hours
• Malicious user cannot update record until TTL is exhausted.

Here’s how DNS Cache Locking Works

• When a DNS client sends a request to a recursive DNS server the server caches the result so that it can respond more quickly to other DNS clients querying the same information.  
• Another server down the line may have an update to that record and this server may want to update the cache.
• The amount of time that a record resides in the cache is based upon the TTL (time to live value of the record.    

Malicious user attack

A malicious user tries to update a record directing users to a malicious site called https://www.carip.com.

Because the TTL is set to 24 hours that record cannot be updated for 24 hours. Because the malicious user tried to update that record before the TTL was exhausted the update failed.

DNS Socket Pool

• The reply-back DNS server (I’ll explain that in a minute) selects a source port from a pool of ports
• When a DNS goes out to the internet and does recursive queries. The server that is replying back instead of using a predictable port must use a random port number.  
• Avoids using well known ports
• Avoids Cache tampering

Here’s how the DNS Socket Pool Works 

Client uses port 53 to connect to the DNS server, now the DNS server is using port 53 to connect to another DNS server on the internet to complete the query.

The question is what port is the server using, that replies back to the client?  

And the answers is, it varies. Instead of using a predictable source port the incoming DNS server uses a random port# that it selects from the DNS socket pool.  

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

Sign In Get Instant Access