Active Directory depends upon DNS. If DNS fails, so does Active Directory. This, in turn, means that if DNS fails, your entire network may be disabled. Many of the functions and features of AD use DNS to locate domain controllers, systems, services, clients, and other objects. It should be obvious that protecting DNS is almost as important as protecting AD itself.
But some of you may not be fully convinced that the cost in dollars, time, and effort to protect DNS are as warranted as that to protect AD. So, consider the following...
Active Directory and DNS work in a distributed environment. Multiple servers host these services and their ability to interact with each other and the rest of the network allows them to provide the essential services of the network (i.e. directory services and name resolution). This eliminates single points of failure, provides for efficient operation through shared resources, and can be designed to mimic the organizational hierarchy of the company.
However, distributed environments offer attackers or even mis-guided users numerous methods of interfering with normal operations:
- Communications between DNS servers may be corrupted
- Communications between DNS servers may be blocked
- DNS databases may become corrupted
- DNS databases may be intentionally poisoned with false data
- DNS servers may be disabled or shut down
- DNS servers may be the target of a DoS attack
- Physical connections to DNS servers
- may be damaged
If any of these types of attacks or unwanted occurrences are imposed on a network, this may cause clients and DCs to communicate with unauthorized DNS servers or DCs or simply prevent clients and DCs from being able to locate and communicate with each other.
Providing protection for DNS as a means to provide additional protection for AD DCs is an essential part of establishing a truly secure networking environment. In later tips I'll discuss some of the techniques you can employ to improve DNS security and reliability.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in July 2004