DNSSEC: Sign a DNS Zone with Windows Server

Presentation

DNSSEC (Domain Name System Security Extensions) is an extension of the DNS protocol that adds security to the DNS protocol by signing the records by a public / private key system.

This extension allows the client to verify that the response received is valid and has not been changed by a man-in-the-middle attack.

This extension is standardized by the following RCF :

To illustrate this tutorial, we are going to have how to sign a zone on domain controller.

Sign a zone with DNSSEC on Windows Server

Open the DNS Manager console and go to the Forward Lookup Zones 1 node. It can be seen that the DNSSEC state of the lab.intra zone is Unsigned 2 .
Zones overview

Right-click on the zone to sign 1 , go to DNSSEC 2 then click on Sign zone 3 to launch the wizard.
Param DNSSEC for zone

When launching the wizard, click Next 1 .
Wizard DNSSEC configuration

Choose the option Customize zone signature settings 1 and click Next 2 .
DNSSEC signature options

Choose the server to put keys 1 and click Next 2 .
Master of keys for DNSSEC

A summary of the KSK key is displayed (this is used to sign a zone), click on Next 1 .
KSK key

Click on Add 1 .
Wizard DNSSEC add KSK

Click OK 1 to validate the parameters of the KSK key.
Params key KSK

KSK key is added 1 click Next 2 .
Key KSK added

A summary of the ZSK key (data / record signature) is displayed, click Next 1 .
DNSSEC - key ZSK

Click Add 1 to configure the ZSK key.
Add ZSK key

Click OK 1 to validate the parameters of the ZSK key.
DNSSEC - key ZSK param

The key ZSK is added 1 , click Next 2 .
DNSSEC - key ZSK added

Select the protocol NSEC3 1 then click Next 2 .
DNSSEC - select NSEC3

Leave the default options on the configuration of the approval anchors, click Next 1 .
Anchor config

Leave the signature settings by default, click Next 1 .
DNSSEC - param signature

A summary of the DNSSEC configuration is displayed, click Next 1 to validate it.
Summary config dnssec

The configuration applied to the zone, leave the wizard by clicking Close 1 .
signed zone

Refresh the zone in the DNS Manager console, we see that a padlock has been added to the zone folder to indicate that the zone is singed with DNSSEC and several RRSIG, DNSKEY, NSEC3 … records have been added. Each record contains its signature with an RRSIG record of the same name.
DNSSEC - zone DNSSEC - zone

Use DNSSEC

On a DNS client node, open a PowerShell command prompt and enter the following command:

Resolve-DnsName <RecordInZone> -Server <DNSServer>

resolver-dnsname
The DNS server returned a “normal” response, without any signing information.

To force a query and especially a secure response, add the -DnssecOK parameter to the previous command.

Resolve-DnsName <RecordInZone> -Server <DNSServer> -DnssecOK

resolver-dnsname
We can see the signature parameters in the answer.

Group Policy for a DNSSEC Resolution

As we have just seen, to recover a secure record, it is necessary to inform Windows to do so. In order for the extensions in the domain to use DNSSEC, we will add a Group Policy that will configure the NRPT (Name Resolution Policy) table of the computers to indicate that the zone is signed.

On a domain controller, open the Group Policy Management console, right-click on domain 1 and click Create GPO in this domain and link it here 2 .
New GPO

Name the GPO 1 then click OK 2 .
Nammed GPO for DNSSEC

Right click on the added strategy 1 and click on Edit 2 .Edit GPO

Go to Computer Configuration / Windows Settings / Name Resolution Policy 1 . Enter the DNS suffix of the signed area 2 , check that the Enable DNSSEC in this rule 3 and Ask DNS clients to verify address name data check boxes have been validated by the DNS server 4 are ticked and click on Create 5 .
Config DNSSEC

The domain has been at the name resolution strategy table 1 , click Apply 2 .
zone added

Summary of the strategy:
GPO DNSSEC Overview

On a node in the domain where the policy is applied (gpupdate), open a PowerShell command prompt and enter the following command:

Resolve-DnsName <RecordInZone>

The command must return the IP address with the signature information.
DNSSEC resolve name



Related Posts


DNS: conditional redirector
Presentation In this article, I will explain and show you how to set up a conditional forwarder on a Windows DNS server. As a reminder, DNS redirection allows the service to send requests to another DNS service to resolve the request for an unknown z

Sophos XG: installation on Hyper-V
In this tutorial, we will have how to install a Sophos XG firewall on a virtual machine with Hyper-V. For this article, I used the Sophos XG home version which is available for free. Prerequisites Download the ISO firewall on the site sophos and reco

Sophos XG: secure emails
Introduction In this tutorial, we will see how to secure emails with a Sophos XG firewall. The firewall offers two modes of operation for filtering emails: MTA : the firewall will act as an SMTP relay Legacy : it will be placed in transparent mode, w

Leave a Comment