Windows Server has offered DNS and DHCP as native services from the days of Windows NT 3.x. These services in Windows Server have evolved over the last decade and improved with additional features in every newer version of Windows. This blog provides an insight into many improvements in Windows Server 2008/R2 platform and outlines some of the limitations. The following are some of the enhancements for DNS/DHCP services in Windows Server 2008/R2:
DNSSEC – Adds security to DNS protocols
- DNSSEC is a suite of extensions that add security to the DNS protocol. In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed.
- Support of DNSSEC in DNS client in Windows 7 including ability to indicate knowledge of DNSSEC in queries, ability to process the DNSKEY, RRSIG, NSEC, and DS resource records and the ability to check whether the DNS server with which it communicated performed validation on the client’s behalf
Devolution – Allows precise control of boundary of name resolution
- Devolution is a behavior in Active Directory environments that allows client computers that are members of a child namespace to access resources in the parent namespace without the need to explicitly provide the fully qualified domain name (FQDN) of the resource. The DNS client in Windows Server 2008 R2 and Windows 7 introduce the concept of a devolution level, which provides control of the label where devolution will terminate. Previously, the effective devolution level was two. An administrator can now specify the devolution level, allowing for precise control of the organizational boundary in an Active Directory domain when clients attempt to resolve resources within the domain.
Cache Locking to prevent cache poisoning
- Cache locking is a new feature available in Windows Server 2008 R2. With cache locking, the DNS server will not allow cached records to be overwritten for the duration of the TTL (time to live) value. This functionality provides for enhanced security against cache poisoning attacks.
Socket Pool to prevent cache poisoning
- The socket pool enables a DNS server to use source port randomization when issuing DNS queries. This provides enhanced security against cache poisoning attacks
Other important features
- Conditional forwarding for efficient name resolution
- Global zones to provide WINS like functionality for single label names
- Background zone loading for performance improvement for large zones
- Support for special zones for Read Only Domain Controllers functionality
- IPv6 support
- Global Query Block List to prevent malicious use of special names like WPAD and ISATAP
- DNS Client support for Multicast DNS or link-local multicast name resolution – for name resolution in ad-hoc and per-peer networks
Security and Access Control
- MAC address based access control – issue/deny IP address
- Name protection feature to prevent duplicate name registrations by non-Windows OS
- DHCP server activity logging
- Services now run under Network service account as opposed to local service account to minimize risks associated with compromise
- Exhaustion prevention by Split scope and delay configuration
- Selection of multiple entries to simplify reservations and link layer filtering
In spite of many advances in the native DNS/DHCP functionality, Windows Server still lacks many common features / functionality that many organizations deem basic. The following are some of the features that Windows Servers lack:
- Discovery of all endpoints / IP address management
- Search functionality – search for specific Names / IP / MAC address across DHCP and DNS
- Role based access control / delegation for DNS zones and IP address spaces
- High availability / Granular Backup and Recovery support
- IP Address conflicts / Find and fix IP/Resource conflicts
- Trace/Audit IP address changes
- Which port a particular resource is connected to
- Where is this resource physical/virtually located?
It’s evident that Windows DNS/DHCP in 2008/R2 offers many advanced features and will suffice to many of the organization needs. Even though the basic features are more than sufficient for many organizations, Windows DNS and DHCP lack some very important features that seem basic for mid to large sized organizations. Many organizations use third party products / appliances to fill this gap. These solutions range from using networking equipment, Linux/Unix based servers to dedicated appliance based solution such as from Infoblox.
Prakash is a Senior Consultant at Zensar.