DNS SECURITY OPTION – Pugazh Network

DNS Cache Locking: 
Cache locking is a new security feature available with Windows Server® 2008 R2 that allows you to control whether or not
 information in the DNS cache can be overwritten.
* When you enable cache locking, the DNS server will not allow cached records to be overwritten for the duration of the time to live ﴾TTL﴿ value. Cache locking provides for enhanced security against cache poisoning attacks. You can also customize the settings used for cache locking.
* When a recursive DNS server responds to a query, it caches the results so that it can respond quickly if it receives another query requesting the same information. The period of time the DNS server keeps information in its cache is determined by the Time to Live (TTL) value for a resource record.

What does cache locking do?
When a recursive DNS server responds to a query, it will cache the results obtained so that it can respond quickly if it receives another query requesting the same information. The period of time the DNS server will keep information in its cache is determined by the Time to Live ﴾TTL﴿ value for a resource record. Until the TTL period expires, information in the cache might be overwritten if updated information about that resource record is received. If an attacker successfully overwrites information in the cache, they might be able to redirect traffic on your network to a malicious site.

Powershell: Set-DnsServerCache
Dnscmd /Info /cachelockingpercent
1. Click Start, click Run, Type regedit.exe, and then press ENTER.
2. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\Cu rrentControlSet\services\DNS\Parameters.
3. If the CacheLockingPercent registry key is not present, right-click Parameters, click New, click DWORD (32-bit) Value, and then type CacheLockingPercent for the name of the new registry key.
4. Double-click the CacheLockingPercent registry key.
5. Under Base, choose Decimal, under Value data type a value from 0 to 100 for the cache locking percent, and then click ok
6. Close Registry Editor.
7. Restart the DNS Server service.

DNS Socket Pool: The DNS socket pool enables a DNS server to use source port randomization when it issues DNS queries. 
When the DNS service starts, the server chooses a source port from a pool of sockets that are available for issuing queries. 
Instead of using a predicable source port, the DNS server uses a random port number that it selects from the DNS socket pool. The DNS socket pool makes cache-tampering attacks more difficult because a malicious user must correctly guess both the source port of a DNS query and a random transaction ID to successfully run the attack. The DNS socket pool is enabled by default in Windows Server 2016.

Dns Spoofing or DNS CACHE POISONING:
DNS Spoofing is a type of computer attack wherein a user is forced to navigate to a fake website disguised to look like a real one, with the intention of diverting traffic or stealing credentials of the users. Spoofing attacks can go on for a long period of time without being detected and can cause serious security issues.
Such a scenario would proceed as follows:
The attacker uses arpspoof to issue the command: arpspoof 192.168.1.100 192.168.2.200. This modifies the MAC addresses in the server’s ARP table, causing it to think that the attacker’s computer belongs to the client.
The attacker once again uses arpspoof to issue the command: arpspoof 192.168.2.200 192.168.1.100, which tells the client that the perpetrator’s computer is the server.
The attacker issues the Linux command: echo 1> /proc/sys/net/ipv4/ip_forward. As a result, IP packets sent between the client and server are forwarded to the perpetrator’s computer.
The host file, 192.168.3.300 estores.com is created on the attacker’s local computer, which maps the website www.estores.com to their local IP.
The perpetrator sets up a web server on the local computer’s IP and creates a fake website made to resemble www.estores.com.
Finally, a tool (e.g., dnsspoof) is used to direct all DNS requests to the perpetrator’s local host file. The fake website is displayed to users as a result and, only by interacting with the site, malware is installed on their computers

DNSSEC:DNSSEC enables a DNS zone and all records in the zone to be signed cryptographically so that client computers can validate the DNS response. DNS is often subject to various attacks, such as spoofing and cache-tampering. DNSSEC helps protect against these threats and provides a more secure DNS infrastructure

DNS QUERY, TESTING QUERIES, DNS CACHE, DNS LOGGING, DELEGATED ADMINISTRATION,CONFIGURE RECURSION,analyse zone level statistics