As a follow up to our recent post on using BIND9 servers as secondaries, today we’ll see how to publish our external DNS services using TMG 2010. Why would we want to do this, you ask? Simple…SE-KUR-I-TAH. Doing this, we are able to keep our BIND servers on the internal network, use secure web publishing for all Internet facing services, and take advantage of TMG 2010′s DNS application filtering to further secure our name servers. Consider the DMZ approach old and busted, and secure publishing as the new hotness.
This process if fairly straight forward. We’re assuming only that you have an external ip.addr on your TMG set aside for this, and that your external firewall is configured to permit UDP 53 inbound from the Internet.
Log in to your TMG server, and launch the Forefront TMG management console.
- Right-click Firewall Policy, and select New, Non-Web Server Protocol Publishing Rule…
- Name your publishing rule external dns, and click Next.
- Enter the internal ip.addr of your BIND server, then click Next.
- From the drop down list, select the DNS Server protocol. You can click Properties, then Parameters to see that this allows TCP 53 Inbound, and UDP 53 Receive and Send. We’re only going to permit UDP 53 from the Internet, so this is okay. Click Next.
We’d want to permit TCP 53 if we needed to do any zone transfers over the Internet…TMG’s rules assume that we will be. You could define a new filter for DNS, but I don’t feel it is necessary here, and this way if we ever do put up another DNS server that must transfer over the Internet, we can control that at the perimeter firewall without having to modify the TMG.
- Select the external address you will be using for the DNS publishing.
- Click Next, the Finish, then access the properties of the publishing rule. Unless your TMG server is your default gateway, set it so that requests appear to come from the TMG computer. ISA 2006 is the same way…the default behaviour is that for non-Web protocol publishing rules, the requests appear to come from the original client.
- We want to enhance the default DNS application filter settings*. To do this, go to Intrusion Prevention, select Behavioural Intrusion Detection, click on Configure Detection Settings for Common Network Attacks, and then click the DNS Attacks tab. Check the box for "DNS zone transfer" to further protect against bad guys trying to pull your entire zone.
If you ever do have another DNS server that will pull zone transfers over the Internet, you’ll need to uncheck this.
- At that top of the console, click Apply, enter your configuration change description, and click Apply to finish.
*Detection of DNS attacks
From this TechNet article, we can see just what TMG protects our DNS server from…
The DNS Filter, which is installed with Forefront TMG, intercepts and analyzes all inbound DNS traffic destined for the Internal network and other protected networks. If DNS attack detection is enabled, you can specify that the DNS Filter will check for the following types of suspicious activity.
- DNS host name overflow. A DNS response for a host name exceeds a certain fixed limit (255 bytes). Applications that do not check the length of the host names may overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer.
- DNS length overflow. A DNS response for an IP address exceeds the specified length of 4 bytes. By crafting a DNS response with a longer value, some applications executing DNS lookups will overflow internal buffers, allowing a remote attacker to execute arbitrary commands on a targeted computer. Forefront TMG also checks that the value of RDLength does not exceed the size of the rest of the DNS response.
- DNS zone transfer. A client system uses a DNS client application to transfer zones from an internal DNS server.
When offending packets are detected, they are dropped, and an event that triggers a DNS Intrusion alert is generated. You can configure alerts that will be triggered for these events to notify you that an attack was detected. When the DNS Intrusion event is generated five times during one second for DNS zone transfer, a DNS Zone Transfer Intrusion alert is triggered. By default, after the applicable predefined alerts are triggered, they are not triggered again until they are reset manually. We can configure this alert to email us, or launch some other action if we require, or we can just use the logging to keep an eye on things.
- The process for configuring ISA 2006 is almost identical, except that Intrusion Detection is located under the Configuration, General section.
It’s really as easy as that, but if you have any questions or advice for others, why not leave a comment?
You might also enjoy:
