DNS | TLSA Records to ensure the validity of SSL certificates

TLSA Records are a new feature which adds an additional layer of security for checking the validity of server certificates. The TLSA record is placed in DNS, which can be queried by a client to verify the SHA hash the domain holds against the certificate a server has presented the client. If the Key matches DNS has "agreed" that the certificate does indeed match. This security protects against the wrongful issuing of certificates by CA's and also the theft of certificates. 

#Add a TLSA DNS Record
Add-DNSServerResourceRecord -CertificateAssociationData 2a8f2d8af0eb123898f74c866ac3fa669054e23c17bc7a95bd0234192dc635d0 -CertificateUsage DomainIssuedCertificate -MatchType Sha256Hash -Selector SubjectPublicKeyInfo -TLSA -ZoneName www.techshizz.com -Name _443._tcp.www

This record combines with DNSSEC provides a robust security system to protect agains man in the middle attacks. Due to the need to DNSSEC, and a provider who offers TLSA, it's going to be a premium service if used on the internet. It does come with server 2016 for internal usage on the corporate infrastructure. 

DNS Time Based Policy

We can configure DNS in server 2016 to DENY, IGNORE or ALLOW the response of DNS requests. Here are the commands required to configure this. 

#Get current server time
Get-Date -DisplayHint Time

#Get current DNS Policies
Get-DnsServerQueryResolutionPolicy -ZoneName demo.com

#Add a new Policy called "Time-Policy" to deny dns requests between 4AM and 11PM.
Add-DnsServerQueryResolutionPolicy -zoneName demo.com -Name "Time-Policy" -Action DENY -TimeOfDay "eq,04:00-23:00" -ProcessingOrder 2

#Check result
Get-DnsServerQueryResolutionPolicy -ZoneName demo.com

#Change Processing order (1 takes precedence)
Set-DnsServerQueryResolutionPolicy -ZoneName demo.com -Name "Time-Policy" -ProcessingOrder 1

#Check result
Get-DnsServerQueryResolutionPolicy -ZoneName demo.com

#Remove the time policy
Remove-DnsServerQueryResolutionPolicy -zoneName demo.com -Name "Time-Policy" -Force

#Re-add the time policy but with IGNORE request instead
Add-DnsServerQueryResolutionPolicy -zoneName demo.com -Name "Time-Policy" -Action IGNORE -TimeOfDay "eq,04:00-23:00" -ProcessingOrder 1

#Remove Time policy again
Remove-DnsServerQueryResolutionPolicy -zoneName hmm.com -Name "Time-Policy" -Force

#Add time policy to DENY between 11PM and Midnight, Order 1
Add-DnsServerQueryResolutionPolicy -zoneName demo.com -Name "Time-Policy" -Action DENY -TimeOfDay "eq,23:00-23:59" -ProcessingOrder 1 

#Check Result
Get-DnsServerQueryResolutionPolicy -ZoneName demo.com

#Change Policy order to 3
Set-DnsServerQueryResolutionPolicy -ZoneName demo.com -Name "Time-Policy" -ProcessingOrder 3

#Check result
Get-DnsServerQueryResolutionPolicy -ZoneName demo.com


DNS Policy by Client Source Address

If we have various subnets we can create a DNS policy so that our DNS server responds differently to clients on different subnets. Here's how:

#Add a new Demo DNS Zone
Add-DNSServerPrimaryZone -Name demo.com -Replication Domain

#Add two Client Subnets
Add-DNSServerClientSubnet -Name SubnetA -IPv4Subnet ""
Add-DNSServerClientSubnet -Name SubnetB -IPv4Subnet ""

#Add Zone Scopes for Subnets
Add-DNSServerZoneScope -ZoneName demo.com -Name "0_Scope"
Add-DNSServerZoneScope -ZoneName demo.com -Name "64_Scope"

#Add some A records
Add-DNSServerResourceRecord -ZoneName demo.com -A -Name App1 -IPv4Address "" -ZoneScope "0_Scope"
Add-DNSServerResourceRecord -ZoneName demo.com -A -Name App1 -IPv4Address "" -ZoneScope "64_Scope"

#Create the DNS Client Based Policy
Add-DNSServerQueryResolutionPolicy -Name "0_Policy" -Action ALLOW -ClientSubnet "eq,SubnetA" -ZoneScope "0_Scope,1" -ZoneName demo.com
Add-DNSServerQueryResolutionPolicy -Name "64_Policy" -Action ALLOW -ClientSubnet "eq,SubnetB" -ZoneScope "64_Scope,1" -ZoneName demo.com


DNS Policy Load Balancing | Server 2016

By default if we have multiple A records with the same name, the DNS server will round robin i.e alternate through each record returning the value of each DNS record. This is great but if we want more control over balancing the responses to different records we can use DNS Load Balancing Policy to distribute responses in the desired way.

#Add a DNS Zone
Add-DNSServerPrimaryZone -Name "loadbalance.com" -ReplicationScope Domain

#Add a Zone Scope called "Scope-Heavy"
Add-DNSServerZoneScope -ZoneName "loadbalance.com" -Name "Scope-Heavy"

#Add a  Zone Scope called "Scope-Light"
Add-DNSServerZoneScope -ZoneName "loadbalance.com" -Name "Scope-Light"

#Add some A records to each zone, with different IP addresses to which the load will be balanced accordingly
Add-DNSServerResourceRecord -ZoneName "loadbalance.com" -A -Name "www" -IPv4Address ""
Add-DNSServerResourceRecord -ZoneName "loadbalance.com" -A -Name "www" -IPv4Address "" -ZoneScope "Scope-Light"
Add-DNSServerResourceRecord -ZoneName "loadbalance.com" -A -Name "www" -IPv4Address "" -ZoneScope "Scope-Heavy"

#Set a Policy, so that server gets around 9 out of every 11 requests.
Add-DNSServerQueryResolutionPolicy -Name "LB-Policy" -Action ALLOW -Fqdn "EQ,*" -ZoneScope "loadbalance.com,1;Scope-Light,1;Scope-Heavy,9" -ZoneName "loadbalance.com"

#Check it applied
Get-DNSServerQueryResolutionPolicy -ZoneName "loadbalance.com"

Configure DNS Response Rate Limiting

We configure DNS reponse rate limiting from powershell.

##GetDNS Reponse Rate Limiting Settings

##Enable DNS Reponse Rate Limiting Logging only
Set-DNSServerResponseRateLimiting -ResponsePerSec 2 -ErrorsPerSec 2 -IPv4PrefixLength 26 -Leakrate 3 -Mode LogOnly -Force

##Enable DNS Reponse Rate Limiting
Set-DNSServerResponseRateLimiting -ResponsePerSec 2 -ErrorsPerSec 2 -IPv4PrefixLength 26 -Leakrate 3 -Mode Enable -Force

#Disable DNS Reponse Rate Limiting
Set-DNSServerResponseRateLimiting -Mode Enable -Force