\u2022 DNS cache locking<\/strong>
\u2022 DNS socket pool<\/strong>
\u2022 DNSSEC<\/strong><\/p>\n\n\n\n
Before we start the step by step to implement the DNS Security, lets go through a theory behind this technology.<\/p>\n\n\n\n
DNS Cache Locking<\/strong><\/p>\n\n\n\n Cache locking is a Windows Server 2016 security feature that allows you to control when information in the DNS cache can be overwritten. When a recursive DNS server responds to a query, it caches the results so that it can respond quickly if it receives another query requesting the same information. The period of time the DNS server keeps information in its cache is determined by the Time to Live (TTL) value for a resource record.<\/p>\n\n\n\n DNS Socket Pool<\/strong><\/p>\n\n\n\n The DNS socket pool enables a DNS server to use source port randomization when it issues DNS queries. When the DNS service starts, the server chooses a source port from a pool of sockets that are available for issuing queries. Instead of using a predicable source port, the DNS server uses a random port number that it selects from the DNS socket pool. The DNS socket pool makes cache-tampering attacks more difficult because a malicious user must correctly guess both the source port of a DNS query and a random transaction ID to successfully run the attack. The DNS socket pool is enabled by default in Windows Server 2016<\/p>\n\n\n\n DNSSEC<\/strong><\/p>\n\n\n\n DNSSEC enables a DNS zone and all records in the zone to be signed cryptographically so that client computers can validate the DNS response. DNS is often subject to various attacks, such as spoofing and cache-tampering. DNSSEC helps protect against these threats and provides a more secure DNS infrastructure.<\/p>\n\n\n\n So now, lets go through a simple step how you as Server Administrator can implement DNS Security.<\/strong><\/p>\n\n\n\n 1 \u2013 Open Server Manager,<\/strong> click Tools<\/strong> and open DNS Manager.<\/strong><\/p>\n\n\n\n 2 \u2013 In the DNS Manager,<\/strong> browse to your Domain name<\/strong>, then right click domain name<\/strong>, click DNSSEC<\/strong> and then click Sign the Zone.<\/strong><\/p>\n\n\n\n 2 \u2013 In the Zone Signing Wizard<\/strong> interface, click Next.<\/strong><\/p>\n\n\n\n 3 \u2013 On the Signing options interface, click Customize zone signing parameters<\/strong>, and then click Next.<\/p>\n\n\n\n 4 \u2013 On the Key Master interface, ensure that \u201cThe DNS server CLOUD-SERVER is selected as the Key Master<\/strong>\u201c, and then click Next.<\/p>\n\n\n\n 5 \u2013 On the Key Signing Key (KSK) interface,<\/strong> click Next.<\/p>\n\n\n\n 6 \u2013 On the Key Signing Key (KSK) interface<\/strong>, click Add.<\/strong><\/p>\n\n\n\n 7 \u2013 On the New Key Signing Key (KSK) interface,<\/strong> click OK.<\/strong><\/p>\n\n\n\n ~*~ please spend some time to go through about key properties on the New Key Signing Key (KSK) interface.<\/p>\n\n\n\n 8 \u2013 On the Key Signing Key (KSK) interface,<\/strong> click Next.<\/p>\n\n\n\n 9 \u2013 On the Zone Signing Key (ZSK) interface,<\/strong> click Next.<\/strong><\/p>\n\n\n\n 10 \u2013 On the Zone Signing Key (ZSK) interface,<\/strong> click Add.<\/strong><\/p>\n\n\n\n 11 \u2013 On the New Zone Signing Key (ZSK) interface,<\/strong> click OK.<\/strong><\/p>\n\n\n\n 12 \u2013 On the Zone Signing Key (ZSK) interface,<\/strong> click Next.<\/strong><\/p>\n\n\n\n 13 \u2013 On the Next Secure (NSEC) interface,<\/strong> click Next.<\/strong><\/p>\n\n\n\n ~*~ NSEC is when the DNS response has no data to provide to the client, this record authenticates that the host does not exist.<\/p>\n\n\n\n 14 \u2013 On the Trust Anchors<\/strong> (TAs) interface, check the Enable the distribution of trust anchors for this zone check box,<\/strong> and then click Next.<\/strong><\/p>\n\n\n\n ~*~ A trust anchor is an authoritative entity that is represented by a public key. The TrustAnchors zone stores preconfigured public keys that are associated with a specific zone.<\/p>\n\n\n\n 15 \u2013 On the Signing and Polling Parameters interface,<\/strong> click Next.<\/strong><\/p>\n\n\n\n 16 \u2013 On the DNS Security Extensions (DNSSEC) interface,<\/strong> click Next,<\/strong> and then click Finish.<\/strong><\/p>\n\n\n\n 17 \u2013 In the DNS console, expand Trust Points,<\/strong> expand ae, and then click your domain name.<\/p>\n\n\n\n Ensure that the DNSKEY resource records<\/strong> display, and that their status is valid.<\/p>\n\n\n\n 18 \u2013 Open Server Manager,<\/strong> click Tools<\/strong> and open Group Policy Management.<\/strong><\/p>\n\n\n\n 19 \u2013 Next, open Group Policy Management,<\/strong> expand Forest: Windows.ae,<\/strong> expand Domains, expand Windows.ae,<\/strong> right-click Default Domain Policy,<\/strong> and then click Edit<\/strong>.<\/p>\n\n\n\n 20 \u2013 In the Group Policy Management Editor interface,<\/strong> under Computer Configuration,<\/strong> expand Policies,<\/strong> expand Windows Settings,<\/strong> and then click Name Resolution Policy.<\/strong><\/p>\n\n\n\n ~*~ In the right pane, under Create Rules, in the Suffix box<\/strong>, type Windows.ae<\/strong> to apply the rule to the suffix of the namespace.<\/p>\n\n\n\n ~*~ Select both the Enable DNSSEC<\/strong> in this rule<\/strong> check box and the Require DNS clients<\/strong> to check that the name and address data has been validated by the DNS server check box, and then click Create.<\/p>\n\n\n\n 1 \u2013 In domain Server, open\u00a0Windows PowerShell<\/strong>\u00a0and type :\u00a0Get-DNSServer<\/strong><\/p>\n\n\n\n ~*~ This command displays the current size of the DNS socket pool (on the fourth line in the ServerSetting section). Note that the current size is 2,500.<\/p>\n\n\n\n ~*~ Please take note that the default DNS socket pool size is 2,500. When you configure the DNS socket pool, you can choose a size value from 0 to 10,000. The larger the value, the greater the protection you will have against DNS spoofing attacks.<\/p>\n\n\n\n 2 \u2013 Now lets change the socket pool size to 3,000<\/strong>.<\/p>\n\n\n\n type :<\/strong> dnscmd \/config \/socketpoolsize 3000<\/strong><\/p>\n\n\n\n 3 \u2013 Restart your DNS Server<\/strong> for the changes to take effect.<\/p>\n\n\n\n ~*~ confirm that the new socket pool size now is 3000<\/strong><\/p>\n\n\n\n 1 \u2013 In\u00a0Windows PowerShell, type\u00a0Get-Dnsserver<\/strong><\/p>\n\n\n\n ~*~ This command will displays the current percentage value of the DNS cache lock.<\/p>\n\n\n\n ~*~ Note that the current value is 100 percent.<\/p>\n\n\n\n 2 \u2013 type Set-DnsServerCache \u2013LockingPercent 70<\/strong><\/p>\n\n\n\n ~*~ This changes the cache lock value to 70 percent<\/p>\n\n\n\n 3 \u2013 Looking your DNS Manager Verify.<\/p>\n\n\n\n This is all, enjoy!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" Since DNS is a critical network service, as a Server Administrator you must protect it as much as possible. A number of options are available for protecting the DNS server, including :\u2022 DNS cache locking\u2022 DNS socket pool\u2022 DNSSEC Before we start the step by step to implement the DNS Security, lets go through a theory behind this technology. DNS […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45,63],"tags":[],"class_list":["post-3169","post","type-post","status-publish","format-standard","hentry","category-domain-name-system-dns","category-server-2016-2016"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3169"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3169\/revisions"}],"predecessor-version":[{"id":3170,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3169\/revisions\/3170"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}01 \u2013 Step to configure DNSSEC<\/strong><\/h3>\n\n\n\n
![\"2\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/06\/216.png?w=1108\")
<\/figure>\n\n\n\n![\"1.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/16.png?w=1108\")
<\/figure>\n\n\n\n![\"2.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/22.png?w=1108\")
<\/figure>\n\n\n\n![\"3.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/36.png?w=1108\")
<\/figure>\n\n\n\n![\"4.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/410.png?w=1108\")
<\/figure>\n\n\n\n![\"5.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/53.png?w=1108\")
<\/figure>\n\n\n\n![\"6.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/62.png?w=1108\")
<\/figure>\n\n\n\n![\"10.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/102.png?w=1108\")
<\/figure>\n\n\n\n![\"11.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/112.png?w=1108\")
<\/figure>\n\n\n\n![\"9.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/92.png?w=1108\")
<\/figure>\n\n\n\n![\"10.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/103.png?w=1108\")
<\/figure>\n\n\n\n![\"11.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/113.png?w=1108\")
<\/figure>\n\n\n\n![\"11.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/114.png?w=1108\")
<\/figure>\n\n\n\n![\"12.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/122.png?w=1108\")
<\/figure>\n\n\n\n![\"14.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/141.png?w=1108\")
<\/figure>\n\n\n\n![\"15.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/151.png?w=1108\")
<\/figure>\n\n\n\n![\"16.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/161.png?w=1108\")
<\/figure>\n\n\n\n![\"17.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/171.png?w=1108\")
<\/figure>\n\n\n\n![\"18.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/181.png?w=1108\")
<\/figure>\n\n\n\n![\"19.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/191.png?w=1108\")
<\/figure>\n\n\n\n![\"20.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/201.png?w=1108\")
<\/figure>\n\n\n\n![\"22.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/221.png?w=1108\")
<\/figure>\n\n\n\n02 \u2013 Configure the DNS Socket Pool<\/strong><\/h3>\n\n\n\n
![\"23.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/231.png?w=1108\")
<\/figure>\n\n\n\n![\"24.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/241.png?w=1108\")
<\/figure>\n\n\n\n![\"25.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/252.png?w=1108\")
<\/figure>\n\n\n\n04 \u2013 Configure the DNS Cache Locking<\/strong><\/h3>\n\n\n\n
![\"25.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/253.png?w=1108\")
<\/figure>\n\n\n\n![\"26.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/261.png?w=1108\")
~*~ Please take note that you configure cache locking as a percentage value.<\/p>\n\n\n\n![\"27.png\"](\"https:\/\/newhelptech.files.wordpress.com\/2017\/07\/271.png?w=1108\")
<\/figure>\n\n\n\n