Securing your DNS using TMG 2010

1. Introduction

Nowadays information is much easier to find than it was in the past, you can find information about pretty much everything by just searching on the web (try https://www.letmebingthatforyou.com/?q=dns%20atacck for example). For this reason it is even more important to be diligent while protecting your company’s data by avoiding data leakage and data enumeration.

One of the pre-attack phases is exactly the enumeration of data for the target system (or company), during this phase the attacker will try to gather as much information as possible about the target, going from the basic stuff that it can find about the target on the company’s web site to a more detail data enumeration using tools and techniques. One of the steps for data enumeration is query the target DNS system in order to obtain more information about hosts and IPs. This process can start by simply using the nslookup command. Assuming a successfully query, the attacker can try to transfer all the information for that domain by attempting a zone transfer operation. This post will explain how to configure your DNS Publishing rule on TMG to avoid zone transfer.

2. What you want to avoid?

The scenario that I described above is an unfortunate common scenario, many times because the system administrator forgot to securely configure the DNS Server on the internal network to not allow zone transfer for all systems. Here an example of a DNS that is wide open for zone transfer:

Fig1

When this configuration is place the following result will happen if the client tries to transfer a zone using nslookup:

Microsoft Windows [Version 6.0.6002] Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>nslookup Default Server: mysrv Address: 192.168.1.10 > server 192.168.1.154 Default Server: TMGFW Address: 192.168.1.154

> set q=all

> contoso.com

Server: TMGFW Address: 192.168.1.154 contoso.com internet address = 10.20.20.10 contoso.com nameserver = dc01.contoso.com contoso.com primary name server = dc01.contoso.com responsible mail addr = hostmaster.contoso.com serial = 494 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) dc01.contoso.com internet address = 10.20.20.10

> ls -d contoso.com

[TMGFW.home] contoso.com. SOA dc01.contoso.com hostmaster.contoso.com. (494 900 600 86400 3600) contoso.com. A 10.20.20.10 contoso.com. NS dc01.contoso.com _msdcs NS dc01.contoso.com _gc._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=3268, dc01.contoso.com _kerberos._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=88, dc01.contoso.com _ldap._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=389, dc01.contoso.com _gc._tcp SRV priority=0, weight=100, port=3268, dc01.contoso.com _kerberos._tcp SRV priority=0, weight=100, port=88, dc01.contoso.com _kpasswd._tcp SRV priority=0, weight=100, port=464, dc01.contoso.com _ldap._tcp SRV priority=0, weight=100, port=389, dc01.contoso.com _kerberos._udp SRV priority=0, weight=100, port=88, dc01.contoso.com _kpasswd._udp SRV priority=0, weight=100, port=464, dc01.contoso.com casrv A 10.20.20.9 dc01 A 10.20.20.10 DomainDnsZones A 10.20.20.10 _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones SRV priority=0, weight=100, port=389, dc01.contoso.com _ldap._tcp.DomainDnsZones SRV priority=0, weight=100, port=389, dc01.contoso.com EXSRV A 10.20.20.11 farm CNAME exsrv.contoso.com ForestDnsZones A 10.20.20.10 _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones SRV priority=0, weight=100, port=389, dc01.contoso.com _ldap._tcp.ForestDnsZones SRV priority=0, weight=100, port=389, dc01.contoso.com TMGFW A 10.20.20.1 TMGSTD A 10.20.20.31 UAG10 A 10.20.20.12 UAG11 A 10.20.20.13 WKSVista A 10.20.20.152 contoso.com. SOA dc01.contoso.com hostmaster.contoso.com. (494 900 600 86400 3600)

Well, this is not nice at all…here it is my whole internal domain zone exposed to all Internet users just because the system administrator forgot to disable one checkbox.

3. Protecting Internal Resources

If system administrator didn’t do his homework, you as firewall admin MUST do it ASAP. However it is very important to emphasize that this band aid solution on the perimeter shouldn’t be the main one, we always need to fix the root cause of the problem, which in this case is to securely configure the DNS Server. The fact that you are protecting the DNS Publishing on your perimeter is just a countermeasure to avoid a potential attempt to transfer the internal DNS zone to an external (non trusted) resource.

The DNS Filter on TMG is enabled by default as shown below:

Fig2

This filter has the following capabilities pre-configured by default:

  • DNS_Intrusion_detection= 1
  • DNS_Hostname_Overflow=1
  • DNS_Length_Overflow=1

As zone transfer can or cannot be a legitimate type of access the parameter DNS_Zone_Transfer is set to 0 by default. In other words: if you want to allow zone transfer you should leave this parameter as is. The recommendation is to make sure to allow zone transfer only to trusted DNS servers, which means that you should configure your DNZ zone to allow transfer only for the server’s IPs that you trust. If all the servers that you trust are behind TMG (on the internal network) then you can safely block zone transfer attempts from traffic coming from the external (Internet) network. To do that you need to run the following script:

Set root = CreateObject("FPC.Root") Set isaArray = root.GetContainingArray() Set attackDetection = isaArray.ArrayPolicy.AttackDetection Set dnsFilter = isaArray.Extensions.ApplicationFilters.Item("{49FE2B2F-3BB4-495C-87C8-3890C3C35756}")

dnsFilter.Enabled = True Set vpSets = dnsFilter.VendorParametersSets

On Error Resume Next vpSets.Add "{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}", False, False On Error Goto 0 ' If a vendor parameters sets for DNS Filter already exists

vpSets.Item("{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}").Value("DNS_Zone_Transfer") = "1"

vpSets.Save

…OR you can also use the UI to make this change using the option below:

Fig3

Note: if you run the script while the console is open and you try to see if this option is enabled on the UI, the option might still be disabled. To refresh it, close TMG console and open it again.

After running this script (or changing it on the UI), make sure to restart Firewall Service and then try again to run the nslookup ls command from an external computer. The expected result is shown below:

> ls -d contoso.com

[TMGFW]

*** Can't list domain contoso.com: Unspecified error

The DNS server refused to transfer the zone contoso.com to your computer. If this is incorrect, check the zone transfer security settings for contoso.com on the DNS server at IP address 192.168.1.154.

Now this for sure is a better result for an external user to get it.