1
00:00:03,040 --> 00:00:07,510
In this demonstration, you will implement DNS security within the environment.

2
00:00:08,410 --> 00:00:13,750
You will work from the domain admin machine and you will secure the DNS zones between the primary DC

3
00:00:13,750 --> 00:00:14,710
and DC two.

4
00:00:15,520 --> 00:00:20,440
Let's look at the current DNS zones which reside on the domain controller, and you will do this by

5
00:00:20,440 --> 00:00:25,000
navigating to tools DNS and connecting to the DC and the forward lookup zones.

6
00:00:25,870 --> 00:00:30,580
You'll notice that we have the normal company DOT primary forward lookup zone and we've got another

7
00:00:30,580 --> 00:00:32,950
one which is section company DOT Primary.

8
00:00:33,820 --> 00:00:38,110
You need to implement DNS security on the section company DOT primary zone.

9
00:00:38,980 --> 00:00:42,430
To get started, you'll right click on the zone and under den sec.

10
00:00:42,430 --> 00:00:43,900
You'll click on same the zone.

11
00:00:44,770 --> 00:00:48,100
You'll click on next to go through the wizard and you have a few options.

12
00:00:49,000 --> 00:00:51,690
You can go and use an existing zone for the parameters.

13
00:00:51,700 --> 00:00:56,830
You can use the default settings to sign the zone, or you can customize the zone sign and parameters.

14
00:00:57,670 --> 00:01:01,390
Let's go ahead and customize it so we can see the options that are available.

15
00:01:02,260 --> 00:01:05,050
You'll click on next and you will choose the key master.

16
00:01:05,950 --> 00:01:11,530
Since the DC is the primary domain controller and authoritative DNS server, we will keep DC as the

17
00:01:11,530 --> 00:01:12,220
key master.

18
00:01:13,120 --> 00:01:16,510
You'll click on next and now it will bring you to the key signing key.

19
00:01:17,380 --> 00:01:20,630
Let's proceed under key sign in key.

20
00:01:20,650 --> 00:01:23,260
You have the ability to add multiple algorithms.

21
00:01:24,160 --> 00:01:29,200
You'll click on ADD and you have the ability to customize the grid in your key generation signing keys,

22
00:01:29,200 --> 00:01:31,240
key properties, and the key rollover.

23
00:01:32,170 --> 00:01:36,790
Since we do not have any pre generated keys, let's go ahead and create a new signing key.

24
00:01:37,660 --> 00:01:41,740
Under the cryptographic algorithm, you have a number of choices that you can select.

25
00:01:41,890 --> 00:01:44,740
So we will stick with S-H are two, five, six the key length.

26
00:01:44,740 --> 00:01:50,830
We will leave it 248 bits and we will leave the key storage provider as the Microsoft software key storage

27
00:01:50,830 --> 00:01:51,370
provider.

28
00:01:52,240 --> 00:01:56,080
You have a few options that you can select, but we'll leave the defaults for now.

29
00:01:56,960 --> 00:02:01,130
The signature validity period you can configure as well as the key rollover.

30
00:02:01,130 --> 00:02:02,960
So we will leave these as the default.

31
00:02:03,830 --> 00:02:08,600
You can of course tweak this to enable a quicker rollover period and a shorter validity period.

32
00:02:09,500 --> 00:02:12,230
So we'll click on Okay and you will click on next.

33
00:02:13,130 --> 00:02:18,140
Now you have the ability to define the zone signing key, which is essentially the authentication key

34
00:02:18,140 --> 00:02:21,260
to sign the zone data you'll click on next.

35
00:02:21,260 --> 00:02:25,520
And again, you have the ability to add multiple algorithms for the zone signing key.

36
00:02:26,360 --> 00:02:32,390
We will leave these as defaults and click on okay, you'll click on next and now you have the ability

37
00:02:32,390 --> 00:02:36,110
to choose the next secure version that you want to use for the resource records.

38
00:02:36,920 --> 00:02:38,870
Let's use next secure version three.

39
00:02:38,990 --> 00:02:42,530
And you also want to enable the distribution of trust anchors for the zone.

40
00:02:43,370 --> 00:02:48,560
This ensures that the trust anchors are distributed to all DNS servers, which are running on domain

41
00:02:48,560 --> 00:02:50,120
controllers within the forest.

42
00:02:51,020 --> 00:02:56,510
Since our forest has two domain controllers and both of them are DNS servers, this will automatically

43
00:02:56,510 --> 00:02:58,040
distribute the trust anchors.

44
00:02:58,940 --> 00:03:03,800
So now you'll click on next and you can configure the signing and polling periods which we will leave

45
00:03:03,800 --> 00:03:07,040
as the defaults for now and we'll click on next and complete.

46
00:03:07,940 --> 00:03:13,250
Now you'll notice that there is a lot next to the DNS zone and this depicts that the zone has been secured

47
00:03:13,250 --> 00:03:14,510
with DNS security.

48
00:03:15,410 --> 00:03:20,840
Here we have the resource record signatures and the DNS keys as well as the various trust anchors that

49
00:03:20,840 --> 00:03:21,380
are showing.

50
00:03:22,220 --> 00:03:27,230
After a couple of minutes, replication will take place and the configuration settings for the same

51
00:03:27,230 --> 00:03:29,810
DNS zone will be replicated to DC two.

52
00:03:30,620 --> 00:03:35,810
Let's take a look at DC two, will connect to it and under forward lookup zones you'll notice that the

53
00:03:35,810 --> 00:03:41,360
security accompanied DOT primary zone is now also secured and we have the trust points which are reflecting

54
00:03:41,360 --> 00:03:42,980
in the secondary DNS server.

55
00:03:43,880 --> 00:03:47,510
Now we will open up PowerShell and verify the dense SEC is working.

56
00:03:48,320 --> 00:03:53,360
Let's first perform a query on the normal company DNS zone to see the difference between a query on

57
00:03:53,360 --> 00:03:55,490
a normal zone and the query on assigned zone.

58
00:03:56,330 --> 00:04:01,550
And you will issue the command result DNS name followed by the host record specifying the server and

59
00:04:01,550 --> 00:04:03,260
will perform the dense SEC check.

60
00:04:04,130 --> 00:04:09,260
Now let's perform the exact same command, but this time we will specify the zone which is protected

61
00:04:09,260 --> 00:04:10,490
with DNS security.

62
00:04:11,360 --> 00:04:17,660
Notice the output difference between the two in the first output, we simply add the record response

63
00:04:17,660 --> 00:04:18,920
with no additional data.

64
00:04:19,790 --> 00:04:24,590
In the second one, we can see now we've got the same date who signed the record and of course, the

65
00:04:24,590 --> 00:04:25,850
cryptographic signature.

66
00:04:26,720 --> 00:04:30,710
Now let's validate if we have an NP policy on the client machines.

67
00:04:31,590 --> 00:04:37,530
And in our policy, which stands for a name resolution policy table, enables you to enforce name resolution

68
00:04:37,530 --> 00:04:43,350
policies on security aware DNS clients to verify if there are any policies in place.

69
00:04:43,350 --> 00:04:48,660
You can issue the command, get DNS client in our policy and right now you'll see there are no policies

70
00:04:48,660 --> 00:04:49,170
enforced.

71
00:04:50,040 --> 00:04:55,350
Let's go ahead and create this policy so that we can ensure the dense SEC is being used within the environment.

72
00:04:56,250 --> 00:05:01,170
To do this, you will navigate to group policy management, and under group policy objects, you will

73
00:05:01,170 --> 00:05:03,990
create a new group policy and we'll call this den sec.

74
00:05:04,850 --> 00:05:06,800
You will go ahead and edit this policy.

75
00:05:06,800 --> 00:05:12,500
And under computer configuration policies, window settings, name resolution policy, you will go ahead

76
00:05:12,500 --> 00:05:16,220
and configure a new policy in the Create Rules section.

77
00:05:16,220 --> 00:05:21,230
Under suffix, you will define the dense EC protected zone and you will go ahead and enable den sec.

78
00:05:21,230 --> 00:05:27,740
In this rule you can require validation and if you want to enforce IP set communication, you can enable

79
00:05:27,740 --> 00:05:28,460
this as well.

80
00:05:29,330 --> 00:05:34,010
Bear in mind that there might be some additional configuration options required for IP seq.

81
00:05:34,160 --> 00:05:35,990
So for now we will leave this disabled.

82
00:05:36,890 --> 00:05:38,270
You will click on Create.

83
00:05:39,170 --> 00:05:41,060
Another rule has been created.

84
00:05:41,930 --> 00:05:45,650
We will apply this and now we will go ahead and link this group policy.

85
00:05:46,550 --> 00:05:51,380
Since we have the admin workstation, which resides in its own view, let's go ahead and link the den

86
00:05:51,390 --> 00:05:52,860
SEC policy to the EU.

87
00:05:52,880 --> 00:05:57,620
And now you will force a group policy update so that the new group policy with the DNS policy can be

88
00:05:57,620 --> 00:05:58,130
applied.

89
00:05:59,000 --> 00:06:04,250
Once the update has completed, we'll switch back to the PowerShell window, an issue to get DNS client

90
00:06:04,250 --> 00:06:06,040
in our policy command again.

91
00:06:06,050 --> 00:06:10,690
And this time you'll notice that we have a policy defined and under DNS as a CE validation.

92
00:06:10,700 --> 00:06:12,350
The value is now set to true.

93
00:06:13,190 --> 00:06:15,260
This will ensure the client's use den sec.

94
00:06:15,260 --> 00:06:21,410
When performing DNS lookups, we will perform a query again to ensure that we have not broken anything.

95
00:06:22,210 --> 00:06:27,520
I rerunning the dense query, we can confirm that the results are the same as before the validation

96
00:06:27,520 --> 00:06:28,300
was required.

97
00:06:29,170 --> 00:06:34,070
This confirms that that policy that we have just applied has not broken anything in relation to dense

98
00:06:34,210 --> 00:06:34,670
queries.

99
00:06:35,590 --> 00:06:41,380
You can confirm that the secondary DNS server, which resides on DNS two, is also using dense EC by

100
00:06:41,380 --> 00:06:44,110
issuing the same command but changing the server name.