By Marc van Kralingen, Marc.vankralingen@Quest.com
Summary
On January 22, 2019 the U.S. Department of Homeland Security released Emergency Directive 19-01 entitled “Mitigate DNS Tampering” (DHS, 2019-1). Within this directive, the DHS describes how, in coordination with other partners, it has been tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering. The directive goes on to describe the techniques used to perfect these DNS attacks, the net result of which is that attackers can redirect and intercept web, mail and other network traffic. The directive recommends the following four actions to establishing a secure DNS:
- Audit DNS records
- Change DNS account passwords
- Add Multi-factor authentication to DNS accounts
- Monitor Certificate Transparency logs.
This discussion demonstrates how Quest Software can help you easily achieve action (1) above: audit DNS records for Microsoft Active Directory-Integrated DNS.
Background
Microsoft Active Directory Integrated DNS
DNS is foundational to a properly functioning Active Directory deployment (Microsoft, 2014). In fact, DNS is the primary name resolution service for Windows Server 2003 and beyond. As such, Active Directory requires:
- A name resolution service that enables network hosts and services to locate Active Directory domain controllers
- A naming structure that enables an enterprise to reflect its organizational structure in the names of its directory service domains
This service is referred to as Microsoft Active Directory-Integrated DNS.
Quest Change Auditor
Change Auditor is a real-time security and IT auditing solution for your Microsoft environment. Some of the key features of Change Auditor include:
- Proactive threat detection with Change Auditor Threat Detection
- Hybrid environment auditing with a correlated view
- Change prevention
- Auditor-ready reporting
More information on Quest Change Auditor can be accessed here: https://www.quest.com/change-auditor/
Change Auditor Auditing of DNS
Quest Change Auditor supports the auditing of 99 distinct DNS-related events such as the addition and removal of DNS A, MX and PTR records. See illustration 1 below.
Illustration 1: Change Auditor auditing of DNS events
What is helpful is that Change Auditor organizes and prioritizes (out-of-the-box) all DNS events by Severity type (the severities are configurable). See illustration 2 below.
Illustration 2: Categorized and prioritized Change Auditor DNS events
Change Auditor provides out-of-the-box reporting against DNS events with easily configured filters such as who, what, when, where and origin computer. See illustration 3 and 4 below.
Illustration 3: Change Auditor out-of-the-box configurable reporting on DNS event
Illustration 4: Change Auditor graphical representation of DNS event auditing
The actual data is normalized and is easy to interpret. See illustration 5 below.
Illustration 5: Normalized and easy-to-interpret DNS events
Change Auditor also provides near real-time alerting of the DNS events that you want to be alerted on. See illustrations 6 and 7 below.
Illustration 6: Configuring near real-time alerting over DNS events
Illustration 7: Near real-time alerts over DNS change events
Lastly, in addition to the detective security controls described above, Change Auditor also supports preventative security controls through its object protection capabilities. Change Auditor object protection allows you to select critical objects in your environment and protect them from changes. This protection can be enforced at the object level (ex: don’t delete the object) or at the attribute-level (ex: prevent modifications to the password attribute). This protection uses a whitelist/blacklist to specify who is or is not allowed to bypass the protection. Furthermore, protection can be enforced using a schedule and/or the origin IP address of the account attempting the change. The events pertaining to protected events are audited, can be reported on and alerted on. See illustrations 8 to 10 below.
Illustration 8: Creating a DNS record protection template
Illustration 9: Setting DNS record protection levels
Illustration 10: Reporting on protected/prevented DNS activities
Conclusion
This discussion illustrated how Quest Change Auditor can help organizations audit their Microsoft Active Directory-integrated DNS, which is the first action needed for a secure DNS, as recommended by the Department of Homeland Security’s emergency directive. Specifically, this discussion illustrated how Change Auditor provides detective and protective security controls to:
- Audit changes to Microsoft Active Directory-Integrated DNS
- Collect this audit information into a centralized repository
- Flexibly report on DNS changes
- Alert key stakeholders of critical DNS changes in near real time
- Protect critical DNS objects from unwanted changes
For more information please visit https://www.quest.com/change-auditor/ or email Sales@Quest.com
References
DHS. 2019-1. “Mitigate DNS Infrastructure Tampering”. Retrieved from: https://cyber.dhs.gov/ed/19-01/
Microsoft. 2014. “What Is DNS Support for Active Directory?”. Retrieved from: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc757136%28v%3dws.10%29