1. Introduction
Nowadays information is much easier to find than it was in the past, you can find information about pretty much everything by just searching on the web (try http://www.letmebingthatforyou.com/?q=dns%20atacck for example). For this reason it is even more important to be diligent while protecting your company’s data by avoiding data leakage and data enumeration.
One of the pre-attack phases is exactly the enumeration of data for the target system (or company), during this phase the attacker will try to gather as much information as possible about the target, going from the basic stuff that it can find about the target on the company’s web site to a more detail data enumeration using tools and techniques. One of the steps for data enumeration is query the target DNS system in order to obtain more information about hosts and IPs. This process can start by simply using the nslookup command. Assuming a successfully query, the attacker can try to transfer all the information for that domain by attempting a zone transfer operation. This post will explain how to configure your DNS Publishing rule on TMG to avoid zone transfer.
2. What you want to avoid?
The scenario that I described above is an unfortunate common scenario, many times because the system administrator forgot to securely configure the DNS Server on the internal network to not allow zone transfer for all systems. Here an example of a DNS that is wide open for zone transfer:
When this configuration is place the following result will happen if the client tries to transfer a zone using nslookup:
Microsoft Windows [Version 6.0.6002] Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\>nslookup Default Server: mysrv Address: 192.168.1.10 > server 192.168.1.154 Default Server: TMGFW Address: 192.168.1.154
> set q=all
> contoso.com
Server: TMGFW Address: 192.168.1.154 contoso.com internet address = 10.20.20.10 contoso.com nameserver = dc01.contoso.com contoso.com primary name server = dc01.contoso.com responsible mail addr = hostmaster.contoso.com serial = 494 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) dc01.contoso.com internet address = 10.20.20.10
> ls -d contoso.com
[TMGFW.home] contoso.com. SOA dc01.contoso.com hostmaster.contoso.com. (494 900 600 86400 3600) contoso.com. A 10.20.20.10 contoso.com. NS dc01.contoso.com _msdcs NS dc01.contoso.com _gc._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=3268, dc01.contoso.com _kerberos._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=88, dc01.contoso.com _ldap._tcp.Default-First-Site-Name._sites SRV priority=0, weight=100, port=389, dc01.contoso.com _gc._tcp SRV priority=0, weight=100, port=3268, dc01.contoso.com _kerberos._tcp SRV priority=0, weight=100, port=88, dc01.contoso.com _kpasswd._tcp SRV priority=0, weight=100, port=464, dc01.contoso.com _ldap._tcp SRV priority=0, weight=100, port=389, dc01.contoso.com _kerberos._udp SRV priority=0, weight=100, port=88, dc01.contoso.com _kpasswd._udp SRV priority=0, weight=100, port=464, dc01.contoso.com casrv A 10.20.20.9 dc01 A 10.20.20.10 DomainDnsZones A 10.20.20.10 _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones SRV priority=0, weight=100, port=389, dc01.contoso.com _ldap._tcp.DomainDnsZones SRV priority=0, weight=100, port=389, dc01.contoso.com EXSRV A 10.20.20.11 farm CNAME exsrv.contoso.com ForestDnsZones A 10.20.20.10 _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones SRV priority=0, weight=100, port=389, dc01.contoso.com _ldap._tcp.ForestDnsZones SRV priority=0, weight=100, port=389, dc01.contoso.com TMGFW A 10.20.20.1 TMGSTD A 10.20.20.31 UAG10 A 10.20.20.12 UAG11 A 10.20.20.13 WKSVista A 10.20.20.152 contoso.com. SOA dc01.contoso.com hostmaster.contoso.com. (494 900 600 86400 3600)
Well, this is not nice at all…here it is my whole internal domain zone exposed to all Internet users just because the system administrator forgot to disable one checkbox.
3. Protecting Internal Resources
If system administrator didn’t do his homework, you as firewall admin MUST do it ASAP. However it is very important to emphasize that this band aid solution on the perimeter shouldn’t be the main one, we always need to fix the root cause of the problem, which in this case is to securely configure the DNS Server. The fact that you are protecting the DNS Publishing on your perimeter is just a countermeasure to avoid a potential attempt to transfer the internal DNS zone to an external (non trusted) resource.
The DNS Filter on TMG is enabled by default as shown below:
This filter has the following capabilities pre-configured by default:
As zone transfer can or cannot be a legitimate type of access the parameter DNS_Zone_Transfer is set to 0 by default. In other words: if you want to allow zone transfer you should leave this parameter as is. The recommendation is to make sure to allow zone transfer only to trusted DNS servers, which means that you should configure your DNZ zone to allow transfer only for the server’s IPs that you trust. If all the servers that you trust are behind TMG (on the internal network) then you can safely block zone transfer attempts from traffic coming from the external (Internet) network. To do that you need to run the following script:
Set root = CreateObject("FPC.Root") Set isaArray = root.GetContainingArray() Set attackDetection = isaArray.ArrayPolicy.AttackDetection Set dnsFilter = isaArray.Extensions.ApplicationFilters.Item("{49FE2B2F-3BB4-495C-87C8-3890C3C35756}")
dnsFilter.Enabled = True Set vpSets = dnsFilter.VendorParametersSets
On Error Resume Next vpSets.Add "{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}", False, False On Error Goto 0 ' If a vendor parameters sets for DNS Filter already exists
vpSets.Item("{D96C5E7F-5B13-4E1A-94A1-36CA7B54604E}").Value("DNS_Zone_Transfer") = "1"
vpSets.Save
…OR you can also use the UI to make this change using the option below:
Note: if you run the script while the console is open and you try to see if this option is enabled on the UI, the option might still be disabled. To refresh it, close TMG console and open it again.
After running this script (or changing it on the UI), make sure to restart Firewall Service and then try again to run the nslookup ls command from an external computer. The expected result is shown below:
[TMGFW]
*** Can't list domain contoso.com: Unspecified error
The DNS server refused to transfer the zone contoso.com to your computer. If this is incorrect, check the zone transfer security settings for contoso.com on the DNS server at IP address 192.168.1.154.
Now this for sure is a better result for an external user to get it.
TMG installation problems can be a bit trick to troubleshooting if you don’t know which components are involved, however if you know then things start make more sense. Most of the setup problems that I faced up to now on TMG 2010 (since RTM) were related to ADLDS or some kind of domain connectivity problem. The most two recent examples are described on two articles that I tech reviewed from my friends Bala Natarajan and Niladri Dasgupta wrote:
Last week I worked on an issue where TMG admin was not able to install this brand new TMG to be used as Edge Firewall. The error message that he was receiving was:
After this error the setup process rolled back and finish without completing the installation. As recommended on the previous two articles mentioned in this post, the first step is to review the setup logs and look for more information in order to move the troubleshooting further. In the ADAM Log file we can see the following entry:
When you see an error where trust relationship between client and domain is failing, be sure to do your homework, in other words, check:
When I hit the third test I found out the problem:
This was the problem, because Windows (where I was trying to install TMG) was sending the traffic to the wrong interface. Once we moved the Internal to the top, flushdns (with ipconfig) and ran the setup again the issue went away and the installation finished successfully.
Note: same recommendation to have Internal on the top applies to UAG, check it out a great reference on that written by Jason Jones at http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html
Slow browsing experience is a behavior that can happen for so many reasons that cover everything in one single article is just not feasible, mainly when the list still growing. Here are some posts/articles that I wrote on this matter:
The list is growing because recently, troubleshooting another issue of this nature today I learned another cool thing: disabled adapters matters. What I mean with this is that if you have multiple adapters on your ISA/TMG and if some of the adapters are not in use and are disabled, this can still affect the performance of the system. How? According to the binding order. Remember that I talked about binding order here some time ago? The DNS best practice analyzer pointed me to the right direction on this, here what he said about disabled adapters on the top of the binding order:
Issue
Valid network interfaces should precede invalid interfaces in the binding order. A disabled or invalid adapter precedes a valid adapter in the network interface binding order list.
Impact
The binding order determines when network interfaces will be used to make network connections by the computer. A disabled adapter high in the binding order can degrade performance.
Resolution
Move all disabled and invalid interfaces to the bottom of the binding order list.
Keep this caveat in mind during your ISA/TMG performance health check analyzes.