CNIT 40 Proj 5: Disabling Dynamic DNS Updates (15 pts.)

What You Need for This Project

Purpose

Examine a Windows DNS server to see how it leaks information about your network with reverse DNS lookups for private addresses, and disable this "feature".

Start Your DNS Server

Start VMware Player and run the Windows server you prepared previously.

Configuring a DNS Suffix

On Windows Server 2008, click Start, right-click Computer, and click Properties.

On Windows Server 2016, click the yellow File Explorer button at the bottom of the desktop, and in the File Explorer window, right-click "This PC", and click Properties.

In the System box, on the left side, click "Advanced system settings".

In the "System Properties" box, click the "Computer Name" tab.

Click the Change... button.

Click the More... button.

In the "Primary DNS suffix of this computer" box, type

YOURNAME.local
replacing "YOURNAME" with your own name (without any spaces), as shown below.

Click OK, OK, OK, Close.

Click "Restart Now".

When your server restarts, log in again.

Testing your DNS Server

In a Command Prompt, execute the following command:
nslookup hills.ccsf.edu 127.0.0.1
This looks up the A record for hills.ccsf.edu using your server.

You should see non-authoritative answers from the google-public-dns server, as shown below.

Start Wireshark

If Wireshark is not already installed, get it here:

http://www.wireshark.org/download.html

Start Wireshark. On the left side, click your Internet-facing adapter. Click Start.

In the "Filter" bar, type dns and press Enter.

Forcing a DNS Registration

By default, Windows automatically registers an IP address with a DNS server every time an IP address changes. In networks using DHCP, this will happen on every restart.

We'll force an update with the ipconfig command to see how it works.

In a Command Prompt, execute the following command:

ipconfig /registerdns

Wireshark should show reverse DNS queries ending in "in-addr.arpa", as shown below.

Troubleshooting

If you don't see the required DNS packets, check the "Use this connection's DNS suffix in DNS registration" box, as shown below.

Then disable and re-enable the network adapter.

Saving a Screen Image

Make sure Wireshark shows one of these things:

Click the taskbar at the bottom of your host computer's desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

In the upper left corner of the "untitled - Paint" window, click the little blue square icon (it looks like a floppy disk, something people used to use long ago--you might never have seen one).

Save the image with the filename "YOUR NAME Proj 5a", replacing "YOUR NAME" with your real name.

Understanding these Packets

These packets are notorious. Windows is asking the IN-ADDR.ARPA authoritative servers what DNS name is assigned to a private address--in my case, 192.168.119.191 (only the first three octets appear in the query, in reverse order, as 119.168.192.in-addr.arpa).

There is no sense in that--private addresses aren't tied to any specific computer, and Windows has no reason to ask external servers that question.

But this has been default Windows operation for more than a decade, and it creates a lot of problems, including a large amount of worthless traffic at the ARPA servers, and it also leaks internal private address information out of companies and home networks.

It's such a large problem, RFC 6304 established AS 112 using these two Anycast clouds just to handle them:

BLACKHOLE-1.IANA.ORG (192.175.48.6) and BLACKHOLE-2.IANA.ORG (192.175.48.42)
Click the image below for more information:

There are two recommended fixes for this behavior: turning off Dynamic DNS, and configuring a local DNS server to be authoritative over the private address range.

In this project, we'll do the first one: turning off Dynamic DNS.

Disabling Dynamic DNS

Click Startand type CONNECT.

In Server 2008, right-click Network. Click Properties. Network and Sharing Center opens. On the left side, click "Manage network connections".

In Server 2016, click the yellow File Explorer button at the bottom of the desktop, and in the File Explorer window, right-click Network. Click Properties. Network and Sharing Center opens. On the left side, click "Change adapter settings".

In the "Network Connections" window, right-click the "Local Area Connection" icon and click Properties.

In the "Local Area Connection Properties" box, Double-click "Internet Protocol Version 4 (TCP/IPv4)".

In the "Internet Protocol Version 4 (TCP/IPv4) Properties" box, click the Advanced... button.

In the "Advanced TCP/IP Settings" box, click the DNS tab.

At the bottom of this box, clear the "Register this connection's addresses in DNS" checkbox, as shown below.

In the "Advanced TCP/IP Settings" box, click OK.

In the "Internet Protocol Version 4 (TCP/IPv4) Properties" box, click OK.

In the "Local Area Connection Properties" box, click OK.

Checking the DNS Status

In a Command Prompt, execute the following command:

NETSH INTERFACE IP SHOW DNS
The "Local Area Connection" should now show the message "Register with which suffix: None", as shown below.

Saving a Screen Image

Make sure the "Register with which suffix: None" message is visible, as shown above.

Click the taskbar at the bottom of your host computer's desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Capture whole-desktop image and save it with the filename "YOUR NAME Proj 5b", replacing "YOUR NAME" with your real name.

Testing Dynamic DNS Again

In Wireshark, click Capture, Restart.

In a Command Prompt, execute the following command:

ipconfig /registerdns

You may see some DNS queries checking the name ending in .local, as shown below, but there are no more of those silly queries to in-addr.arpa.

Turning In Your Project

Email the image to me as an attachment to an e-mail message. Send it to: cnit.40@gmail.com with a subject line of "Proj 5 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Sources

Understanding Dynamic Update (Technet)

How to Disable Dynamic DNS Updates on Windows Systems (caida)

AS112 Nameserver Operations

http://www.iana.org/abuse/answers


Windows Server 2016 instructions added 10-18-16