Friday, July 5, 2019

DNS snippets

Notes: source ITFreetraining

In 2012 these trust anchors can be viewed in DNS manager stored in AD DS.

Hierarchy database, created on 1983
Maps names to IP addr
Previously Hosts files were used which were local to machine. But it is difficult to maintain the same file on no of systems and also host file increasing due to
internet. So central administration is required i.e. DNS.

Requirements:
Bind (Berkley Internet Name Domain) compliant.   
There is UNIX DNS but
Integration with AD is harder and
DDNS(dynamic) is not automatically setup i.e. when client starts in domain it creates an entry in DNS automatically and also any further changes in address should be
done manually.
Windows DNS is recommended.                                                                                                                                            
The client on which you are installing DNS role should have static IP address either v4/v6.
Install-Server manager - role- DNS server

Features:
DNSSEC:
Domain Name System Security Extensions
DNS traffic is not encrypted so can be modified (replication between primary DNS and secondary DNS, client query to DNS server)
DNSSEC proves data has not changed.(receiving party gets data with signature[key] to verify)
If DNSSEC is supported on DNS servers then:
Trust Anchors:
Address is resolved from right to left ex: example.com.au
Root Hint Server- the root server in DNS has anchor and has key (signature) which it passes to DNS server which can resolve 'au'. The key thus will be passed to DNS
server which can resolve 'com'. If DNS server which is resolving 'com' does not support DNSSEC then the subsequent DNS server which resolves 'example' (lets say it
supports DNSSEC) cannot figure out if the data has altered or not. So in such case we can create trust anchor at 'example' DNS server. So clients can use this anchor
when queried.
In 2012 these trust anchors can be viewed in DNS manager stored in AD DS.
Key Management:
Keys can be stored in AD. So that they will be replicated like other data.
Automated key rollover in AD- changing of keys i.e. expiry of keys and adding new in place of them.
Key Master - Works on one primary zone ->Server which is given the role takes care of all keys in that zone. Role can be transferred to another server but only one
server at a time.
Namespace:
It is decentralised.
hierarchy:
Root hint server - . All names ends with '.' even if you don't add '.'
Top level domain - com au org edu net
Second level domain - Example ITfreeTraining (admins have access from here, they can create further child domains, can change IPaddress if required)
Third level domain - East West Sales Marketing
Fourth level domain - www ftp
Process:example.com.
Client sends request to its DNS server, which checks its cache and if not found contacts root hint(on network). Address of few root hint servers will be stored by
local DNS servers.
Root Hint DNS has the address of .com DNS server.
Client DNS contacts .com DNS server which has the address of DNS server which can resolve example
Client DNS contacts the example DNS server and gives the result to client.                                                                                             
The results are stored on local DNS including address of Root Hint and .com

          
Root Hint Server:
Configured by default
-normally no need to change them
In rare cases administrators will disable
Most companies will forward DNS requests to their ISP DNS, as they handle more requests already address may have resolved and stored.
It is a DNS server configured to route to other DNS server, the root hint values will not be used.
Recursive and Iterative Queries: At every step cache will be checked for resolution and results were also cached for easy future resolutions. Like instead of
contacting root hint server again it can directly contact com DNS server by storing com server adress.
Recursion:
DNS servers take responsibility for resolution
Will contact other DNS servers as required
Iterative: to avoid load
Responds with best information it has - from cache or another server that can help.
Does not contact other DNS servers.
In the above example of resolving example.com. address -
Desktop computer first checks its cache if not found it contacts its DNS server via recursive query i.e. this DNS server will take responsibility to contact other DNS
servers as required for resolution.
Local DNS server checks it cache if not found then contacts root hint dns via iterative i.e. either root hint provides resolution or tells about com server which can
help out further.
Local DNS sends iterative query to com server which in turn sends info about DNS server which can resolve 'example'.
Local DNS contacts  example DNS via iterative and sends resolution address to desktop.

https://www.lifewire.com/what-is-a-dns-cache-817514

Configuring root hint servers:

open dnsmgmt.msc -> Rt click on dns server -> properties -> Forwarders
Option: Use root hints if no forwarders are available.
This option will be helpful in case the forwarders are unavailable /offline.

open dnsmgmt.msc -> Rt click on dns server -> properties -> Advanced
option: Disable recursion (also disables forwarders) 
If this is ticked it will prevent DNS to contact any DNS if it does not know answer to query.
Use it when in secured isolated networks.
Or if you have a set of DNS servers and you do not want this DNS to take up task of resolving if it does not have in its cache.

open dnsmgmt.msc -> Rt click on dns server -> properties -> Root Hints
Max no of root hint servers are limited to 13 due to limitation of UDP protocol when DNS was first developed.
data of root hint stored on "C:\Windows\System32\dns\cache.dns"
U can click 'remove' and then 'copy from server' and give the server DNS name or IP addr.

DNS Zones:
Zones are nothing but DNS namespace divide for administration. Zone stores DNS records.
Primary zone:
Contains read/write copy of zone data.
In Primary zone Bind stores data in a text file and hence any changes can be made only one DNS server that holds primary zone.
If any chnage requested from other zone it goes to DNS server which holds primary zone and if in case it is unavailable then changes cannot be made until it is available. - problem
Problem solved by-
Active Directory Integrated Zone:
A primary zone stored in AD.
The text file that holds the zone data has been moved to AD database.
Hence replication can be used and changes can be made on multiple servers.
DNS must be installed on DC.
Allows secure domain updates: A computer part of AD when it is first up tries to add its host name in DNS. When secure channel is enabled it does so securely.
It can be done without AD integrated zone but prone to attacks where attackers may add their DNS records into the zone.

Secondary Zone: Adv is redundancy -complete copy of a zone is stored as back up.If primary zone is unavailable, still queries can be answered with help of read only copy.
Read only copy -of a primary/secondary zone. Can be a copy of AD integrated zone.
Change requests passed onto primary zone.
Adv - They work on DNS server not part of domain. -They can be configured on linux/unix servers.

Case:
If zone file is large and changes a lot, then it is lot of replication.
A case where there is a branch office with few users- they will get replicated with all the changes but they might not even query them. -problem
Problem solved by-
Stub Zone:
Contains only partial data from other zone - only records to find an authoritative server(DNS server that holds primary or secondary zone)
DNS server that holds stub zone redirects queries to DNS server that can answer (primary or secondary).
U can also do this by conditional forwarding but it is static. If there is additional or removal of DNS servers on other network, that needs to be updated. But Stub zone is dynamic, it updates automatically.
One more advantage of using stub instead of secondary is ,if secondary lost access to read the data of another or all the updates are not received by secondary.

Reverse look up zone:
Contains IP address to host mapping.
Used mostly for troubleshooting.
Administrator choice to have it created or not.
Not required for day to day activity.
Services like AD can work without need of single record of reverse look up.

DNS Zone demonstration:

Dynamic updates through Secure Channel is allowed only for AD integrated zones.

Secondary zone:
For secondary server to function, zone transfer to be allowed from primary server. Properties->zone transfer.
Option- Zone transfer are allowed to servers which are mentioned under name server tab is preferred instead of zone transfer to any server for security.
IN that case add the secondary server you configured to the list of name servers.

Name Server:
Considered to be authority
The servers that are considered to be best source of information for that zone.

After zone transfer set , use option 'transfer from master' to force replication. Secondary zone->rt click->'transfer from master' .Press F5.

Start of Authority:
Replication can be observed through Start of authority record. Primary zone->Properties->start of authority. Refresh interval- the time when secondary contacts primary for any changes to replicate.
Retry interval-If not successful then when to retry.
Serial number- if any changes to zone file, the number gets incremented. This is how secondary server comes to know whether any changes by comparing its service number with primary zone service number.

Stub zone can be integrated with AD.

 Records:
A record ipv4
AAAA ipv6
while creating based on IP address given, it will decide the record type.

Alias(Cname):
Enter the name and select the record (target host)

 Mail Exchanger record (MX record):
Will have priority. Ex: priority 5 record will be contacted first and if not available then priority 10 record will be contacted.
While creating mail record, select existing host record.

Other records can also be created under all tasks-common records.

Time to live:
Time to live is a parameter for DNS record which specifies how much time the record can be allowed in cache of computer and DNS server. After that computer/client and DNS server will be required to  query from authoritative server.
For example mail records will be given less time to live and hence if the server is down or ip changed, will query from authoritative instead of  service being down for long time.
But it increases the queries to authoritative, hence network traffic will be increased.

DNS record Aging:
Timestamp on DNS record. this is for dynamic update records. By default not for static records but can be configured to them as well. Each time computer starts up it may update timestamp of its record.
To avoid network traffic where all the computers updating their timestamp each time they start up and further replication to other DNS servers - no refresh interval, refresh interval were defined.
No refresh interval: By default 7 days , No timestamp changes are allowed and all other changes like Ip addr, ports, (service changes) are allowed.
Refresh Interval: By default 7 days, all changes including timestamp are allowed. Thus a computer have 7 days to set its timestamp.
On whole a record will have 14 days period before removing.
Scavenging:
Removing of outdated DNS records.
>14 days by default - no refresh + refresh interval - only if record timestamp is out of this interval.
While scavenging a record, timestamp is checked and next the setting 'delete this record when it becomes stale'. It is to be checked for scavenging to work, by default all dynamic records have this checked and static records unchecked.
On the server we have scavenging option for all zones but that applies only to AD integrated zones (new and for existing if ticked). ->set aging/scavenging for all zones->scavenge stale resource records
Zone wise scavenging option we have as well. -> properties->general->aging->scavenge stale resource records
To force scavenging at that point, on server we have 'scavenge stale resource records', if its clicked then it will work only on zones for which scavenging is checked and for records for which 'delete record when becomes stale' is selected.

DNS Delegation:
Creating sub domains for-
Delegate administrative authority. Administrators will have rights on sub domain and not given rights on parent domain.
Improved performance. For load balance as each sub domain will be hosted on separate DNS servers.
Expand the namespace.

On client machine-Go to server manager->rt click all servers->add server->DNS->add with help of IP address
Left hand side DNS rt click-> DNS manager
DNS manager->DNS rt click-> connect to DNS server->enter IP addr->create zone->give name as subdomain.parentdomain name ex:west.itfreetraining.local where itfreetraining.local is parent domain and west is a subdomain.
Then create host record of the same server.
Now if you ping the server fqdn it wont resolve as itfreetraining.local domian does not know.
Go to parent zone rtclick ->new domain - it will create new sub domain but it will be stored on the same server. It will be promoted as DNS automatically post server2008r2.
There is other option New delegation which will delegate relationship between parent and sub domain.
New delagation->give domain name (west)-> give authoritative server of that sub domain (as it wont resolve with fqdn, give IP address).
Now the domain west is visible but in grey as it says it is not stored on this server.
Now ping the fqdn west.itfreetraining.local will resolve but may be request time out as firewall on that server may not allow ping requests to fulfill.

Windows DNS server settings:
Properties of server->Advanced
Disable recursion (also disables forwarders) - Will prevent dns server from contacting others for answers.
Helps prevent Denial Of Service DOS attack.
Enable BIND secondaries- For replication with BIND below 4.9.4 (released at late 90's)
This option will slow down zone transfers. As it is for very old version and it is not in use mostly, it will be in unchecked .
Fail on load if bad zone data- If enabled zone will not load (will not answer queries) if there are data errors in the file like illegal characters in DNS record.
Enable round robin: When  multiple records exist, returns records in sequence.
DNS allows more than one record with same name but with different IP address.
Ex: If there are two records with same name and different ipaddr;  if 4 comps query the record then 1st record given to 1st comp, 2nd record to 2nd comp, 1st record to 3rd comp and 2nd record to 4th comp. Thus it helps load balancing.
If this is not enabled then the record it finds first in the zone file will be given to all requests.
Enable netmask ordering: Returns records in same network.
If there are 2 n/w with www server and when clients queries as per round robin, it should return one after the other to each client but if netmasking is enabled then server on same network as client will be given as answer.
Enable both round robin and netmasking.

##click on image which shows the link of image; click it to enlarge in next tab##
Secure Cache against pollution: Prevents false records being added to cache. By default it is enabled.
Attacker sends a query and when DNS server does not know and contacts another DNS server for answer, attacker sends multiple generic requests where instead of response from another DNS server, the fake address from attacker will be stored in cache and when a client queries the fake will be answered.
Enable DNSSEC validation for remote responses: Available for Svr 2012 only.
Allows clients to validate records (to make sure the record returned by DNS serever is not tampered with), confirm record does not exist thus preventing attacker saying record does not exist and thus preventing DOS attack. By default it is enabled.
RoundRobin and NetMasking:
When client address is IPv4 and dns records are IPv4 then round robin and netmasking works normal.

When client is IPv6 and dns records are IPv4 the netmasking wont work as DNS server cant figure out from which IPv4 network client came from. Round robin works normal.

When it is IPv6 to IPv6, netmasking is performed by the client as it is by default taken care by Ipv6 protocol. DNS net masking setting will be ignored. RoundRobin works as normal.



Scavenging:
https://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx
DNS scavenging and the DHCP lease duration relation
https://blogs.technet.microsoft.com/askpfe/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate/

Scavenging is set in three places on a Windows Server: 1. On the individual resource record to be scavenged. 2. On a zone to be scavenged. 3. At one or more servers performing scavenging. It must be set in all three places or nothing happens.

Value adds:
1
How DNS Works
2
DNS Client Resolver Behavior
3
Name Resolution
4
Network Ports Used by DNS
5
Optimizing your network to keep your DNS squeaky clean
6
Creating a Pinpoint DNS Zone
7
DNS Round Robin and Destination IP address selection
8
Tracking DNS Record Deletion
9
Auditing a DNS Zone
10
How DNS Scavenging and the DHCP Lease Duration Relate
11
Aging and Scavenging of Stale Records :
12
Don't be afraid of DNS Scavenging. Just be patient.
13
How DNS Support for Active Directory Works
14
Domain Name System
15
Troubleshooting DNS Clients
16
Troubleshooting DNS Servers
17
Troubleshooting Dynamic Updates
18
Troubleshooting zone problems
19
Event ID 4515 is logged in the DNS Server log in Windows Server 2003
20
Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record
21
Best Practices for Administering DNS Server
22
Auditing a DNS Zone
23
Auditing DNS Record Entries (or deletions)
24
Deploying DNS Security Extensions (DNSSEC)
25
Windows client and server operating system compatibility with DNSSEC enabled root servers
26
Checklist: Deploying DNSSEC and IPsec on the DNS client
27
DNS Registry Entries
28
Determine DNS requirements for Lync Server 2013
29
Communicator Automatic Configuration and Split-Brain DNS
30
DNS requirements for mobility with Lync Server 2013


DNS audit:

Audit Directory Service Access should be enabled
Event id 566

https://blogs.msdn.microsoft.com/anthonw/2006/08/23/auditing-dns-record-entries-or-deletions/

Tuesday, May 7, 2019

ADFS snippets

Terminology: source ITFreeTraining

:Account Partner Org which has accts.
:Resource Partner Org which has resources.
:Claims issued by authenticating company.
:Relying Party trust is used by ADFS to issue claims.
:Claims Provider trust is on the side which accepts claims, Relying party trust on the other side.
:Account Federation server which issues tokens.
:Federation Metadata uses SAML2.0
:ADFS Config DB required to run ADFS. Stores ADFS instance config.
:Primary Federation server- first server added to farm which has read/write copy of Config DB, other servers have read only copy of Config DB.
:Relying Party is the Resource Partner Org
:Resource Federation Server is on Resource Org which accepts claim(embedded in security token) provided by Account Federation Server and replaces it with new claim(what resource to be accessed).
:Claims Aware Application which accepts claim and provides the resource. ex:office365
:Web Application Proxy located in DMZ provides communication between internet and ADFS.
:Private key length for ADFS suggested by MS is 2048
:Relying party trust can be created between two ADFS or ADFS and claim aware app.
:Relying Party trust has three rules-
Issuance Authorization rules:- Defines who can have a claim created for them Ex: only domain users, only users with specific email, allow only external users and block internal users.
Issuance Transform rules:- Defines what data is put into the claim. You can use multiple sources like AD, SQL store ,AD LDS,..
Also the data can be changed if required:- Ex: > Role in Company is required and obtained using Job Title but if the title is not set then you can create a rule to set it to a value in claim.
> If user name is ending with .local then you can change it to .com
Delegation Authorization rules:- Allows a user to be impersonated. When user does not have direct access to claim aware app/server. Improves security.
:Claims Provider Trust The configuration used when accepting claims.
Only one rule -
Acceptance Transform rule - Can change the data in a claim Ex: Can change value int he claim.
Can change claim type Ex: If value came as group but you want user.



ADFS Test env Built Tasks:
1.Create Test AD domain in AWS.
2.Join the ADFS servers to Test Domains.
3.Request SSL cert
4.Configure ADFS with SSL Cert , Self-sign Cert
5.Configure External Web Proxy
6.Setting up internal and External DNS
7.Create ELB in AWS, Port open.
8.Create AD trust between on prem test AD and AWS Test AD.
9.install AAD  and Configure AAD with o365 Test Tenant
10.configure Azure monitoring.
11. ADFS login Home Page customization 
12.open port 80,443,49443  between adfs federation server and proxy DMZ 

Migrate o365 RP connection to 2016 ADFS from 2012 
1. Logon to ADFS 2016 front end server
2. Open Windows Windows PowerShell as Administrator
3. Connect-MsolService
4. Get-MsolDomain
a. Gather list of federated domains from old ADFS server 
5. Set-MSOLADFSContext -Computer <Name of the new ADFS 2016 server>
6. Update O365 relying party trust with new ADFS farm
Command: Update-MsolFederatedDomain –DomainName “Domain.com” –SupportMultipleDomain –Confirm  Execute Update-MsolFederatedDomain
7. Get-MsolDomain
8. This may take 30 minutes for change to take effect
a. Sign in to O365

O365 SSO connectivity check:


Info:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-azure-ad-trust
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs

Metadata URL : replace server with identity provider
https://server/FederationMetadata/2007-06/FederationMetadata.xml
https://adfsfarmname/FederationMetadata/2007-06/FederationMetadata.xml
login url:
https://adfsfarmname/adfs/ls/idpinitiatedsignon.aspx
Issuer url: [idp entity id] Federation services identifier
http://adfsfarmname/adfs/services/trust
[SSO service url]
https://adfsfarmname/adfs/ls


User Account lockout shows ADFS server in event viewer of AD DC:-
Login to ADFS server - open event viewer and check at the time stamp when lockout reported in AD DC. Will find two events 4625 and 411 with user email address. 411 has IP details (the actual device where lockout occurred).

ADFS event viewer:
When you upgrade to ADFS 3.0 you can set the lockout threshold on ADFS before the AD lockout threshold is reached. This will stop the malicious or bad logins from having ADFS lockout the account on the local network. 
Also in ADFS 3.0 you can see the true client IP (the attempted IP) filter your ADFS logs for all 411 error IDs for the originating IP. In the event IP1 is client IP, IP2 is Microsoft’s O365 IP, IP3 is your ADFS server. 

Found on Spiceworks: https://community.spiceworks.com/topic/673038-continuous-account-lockouts-from-adfs?utm_source=copy_paste&utm_campaign=growth
https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/

Azure portal health report for ADFS farm:

  • Azure AD Connect Health for AD FS 



SSO issues - AWS integrated with ADFS and one day unable to access AWS accounts - Reason: ADFS cert got renewed and the metadata yet to be updated at AWS end.

1. The Token Signing Certificate & Token Decryption – Self Signed Certificate auto Enrollment has been enabled on AD FS.
2. Before 20 days of expiry the new certificate will get generated and automatically enrolled into ADFS.
3. During the enrollment old certificate will be Primary and New Certificate will be Secondary.
4. Post that New Certificate turns Primary and Old Certificate turns Secondary.
5. Unable to login to AWS application because the Metadata was not updated on AWS.
6. Download the new Metadata from the below link as XML file. (use chrome to download - enter URL in address bar and click enter, it will download)
 Link: https://adfsfarmname/FederationMetadata/2007-06/FederationMetadata.xml
7. login to AWS web console with Admin access.
8. Updated the new Metadata file.

Other info:-

claims generator at the following link to create the necessary claims for your ADFS:
https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator

Active Directory Federation Services | Microsoft Docs
https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services

You can also access the below link, ADFSHelp helps you create the correct claim rules:
https://adfshelp.microsoft.com/AadTrustClaims/GenerateClaims

To get details of  relying party trust- ; clip copies the result to clipboard.
Get-AdfsRelyingPartyTrust -Name "xxxxxx" | clip


Relying party trust

Add issuance transform claim rule
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-transform-an-incoming-claim