Microsoft Azure AZ-800 — Section 14: Implement on-premises and hybrid name resolution Part 3
112. Integrate Windows Server DNS with Azure DNS private zones
You know, when it comes to Azure dealing with DNS, no one, if you do set up like a VPN gateway or direct, if you do express route connecting your on-premise environment to the cloud, then Azure does have the ability to communicate with your on-premise DNS and your on-premise. DNS also has the ability to communicate with Azure. Azure has the ability to manage DNS for you if you want. You could actually go here to the menu button here. All services on Portal Dot Ashcombe If you do a search on DNS, you’ll notice that there are two options for DNS. You have the ability to actually host a public DNS namespace like that is basically like DNA. It’s an external facing DNS, meaning people could query from the outside world and query DNS to your DNS service. If you do that. If you do create a dance zone for that, you do have to use a dance zone that’s valid if I click Create. I could specify a resource group. I’ll just put VM test in there and then I have to specify a name for it.
So, for example, examlabpractice.com, which I own, I can actually host that name. I can register that name and you can host that name through through DNA.
So, in my case, like if you wanted to get that name, you could go out there. You could purchase a name through somebody like GoDaddy.
OK. I’m going to I’ve already hosting this name, I’m going to put these in my practice to .com just to create it and says this zone is a child of an existing already hosted Azure DNS. It’s not a child of the name, So, it’s a word.
So, we’re going to click reviewing, create and we’re going to pretend like I’ve purchased his name or I’m going to purchase his name.
So, it’ll let me add this name even if I don’t own the name yet. But what I could do is I could go to somebody like GoDaddy or network solutions, and I could buy that name. And then what I would do is on GoDaddy or whoever you buy the name from, you can tell GoDaddy to point to these name servers. And at that point, Azure is hosting the DNS for you as your chosen, the DNS for you and you can create records, create what’s called a record set right here. You can create records just like you can with the on-premise DNS.
Now this a public facing database, so that basically means that people from the internet could hit it. But you can create private DNS databases if you want that your virtual machines can utilize as a private DNS name.
So, I can actually go click the menu, go to all services. Type DNS again. Click Private Zone and create a private DNS zone. This means that this zone database would not be you can’t hit it from the internet.
Now, if you connect your on-premise servers to Azure again through a VPN gateway or express route, they would be able to communicate with it.
So would your virtual machines.
So, I could go there. Let’s start in the test, and I’ll just call this, I’m going to call this exam lab practice dot internal. Maybe, it’s an internal name you could put .com on the end of it, but let’s face it, com is just there for the outside world normally doesn’t really matter. You can put any extension you want in there.
OK, I can put Jesse if I want for John Christopher. From there, I can click, review and create, and I can create this internal name. And again, by creating this internal name, it’s now associated with your Azure services. Your virtual machines internally could actually now query for this DNS namespace.
So again, this not a public facing DNS namespace. Like the other one, this purely for private use, and you’re just going to allow any virtual virtual machines or any of that to be able to communicate with this. And don’t forget, your on-premise can also communicate with this as long as your on-premise is either connected through a VPN gateway or through express route.
So one way or the other, it’s got to be connected.
So, when these get added, if I go to my resource group here, here is my VM Test Resource Group. This where I’ve added it shows up as a resource. Here there’s the public one I created and then the private one hasn’t shown up yet, but it’ll eventually will show up in this list as well. And I have to refresh my browser a couple of times, but eventually show up in there. I just goes back to, you know, the first rule working with Azure. You got to be patient, right? Things don’t don’t always happen super duper fast. But once the name has appeared just like this public name that you see here, I’m able to go in and I’m actually able to create names inside that or create records inside that that DNS OK course. I can also go to all services and I can definitely find it this way without having to wait. Got a private DNS and you can see it right here, so, I’ll go into that. And then at that point, I can create records if I want, including things like BW, and I could put in the IP address of, say, one of my web servers and you’d be able to query for that name. All right.
So very easy to use Azure DNS. I encourage you to jump in and play around with that a little bit, get a little bit experience with. It’s very easy to use, very friendly and not too complicated.
113. Implement DNSSEC
And I want to talk about a feature that we’ve got with Dennis called the SEC, I’m going to talk a little bit about is going to kind of roll it out for you first and then I’ll show you how to implement it.
So DNA SEC is a type of a feature you can enable that is going to try to prevent what’s called a man in the middle attack against dams. But to understand what that you know what the problem is. Let me draw the idea of a man in the middle attacks.
So here is a client machine and here is a DNS server.
OK? And of course, the client is going to be querying for information that the client needs to know involving, you know, stuff that that he’s looking for.
So basically, the client is who is, let’s say, server one dot exam, lab practice, .com. That’s my domain. Right? And then at that point, you know, the server would ordinarily just reply back with the actual IP address of it. Maybe, the address is, you know, this address.
OK, whatever the problem that you run into here, though, is when we have hackers.
OK, so let’s, you know, draw a little hacker symbol here, my traditional little goofy looking devil horn hacker.
OK. Devil tale, I mean, look on his face here. Maybe, some fangs. All right.
So there’s my little hacker.
OK, now what a man in the middle attack is where a hacker is successfully able to trick the client, which is, of course, this machine into thinking the client is talking to the server when reality the client is talking to the hacker. In the other part, it would be the hacker tricks the DNS server into thinking it’s talking to the client.
So what ends up happening is, is that you’ve got a relay now too, where whenever the client is trying to talk to the DNS server, everything the client is saying is actually going to end up going through the hack.
So the client is going to relay everything. Everything will go through the hacker.
So, when the client, of course, is, you know, sending the request, you know, for who is, you know, server one exam, labpractice.com. Even if a, you know, the hacker is sending this over to the server, forwarding it to the server, when the server replies back, he replies back with the correct address, which might be one one sixty eight, let’s say one 200. And let’s say the hackers IP address is one i zero one sixty eight point one dot, let’s say two of seven.
OK, that’s the hackers address. But what happens is the hacker maybe has set up like a fake server or a fake service running on the machine, a file service or something. And so when he replies to the client, he replies on behalf of the DNS server he puts in, you know, an address like this only two one six eight one two seven sorry. When the when he yes, when he responds back to the client, he’s responding back with that wrong address.
So this an example of a man in the middle attack occurring against DNS.
So here’s the way we get around this we can implement a feature called DNS sec.
OK, DNS SEC is going to create basically what are called zone keys.
Now these zone keys are a little encryption keys that can create digital signatures.
Now, if you know anything about digital signatures on the internet, the idea of a signature is when it’s a type of math, it’s a type of encryption that gets placed on something, and it’s based on the math of whatever data that’s being transmitted. And if that data was to change in any way, shape or form, then it breaks the math of what the signature would be.
So a signature is a piece of math that gets placed on data, and if the data ever gets changed, the person on the other end is going to know.
So, in this way, what would end up happening is whenever if you enable the insect. This response that the DNS server gives will be a signed response.
OK. And at that point that that means that the hacker cannot change anything. The response that goes back to the client absolutely must be a signed response.
OK, so my point with that is that the hacker would never be able to send this bad response to the client because the client will only trust it if it’s a signed response.
So that is how we get around this particular problem. All right, using the NSIC, clients can be required to only only utilize signed responses in a domain, and so therefore the client would not trust the response. If the hacker was to change anything, and that’s how that’s going to solve our problem was hop over into our server and see how we can turn this on.
OK, so here I am on NYC DC one and I’m going to go into server manager. We’re going to go to ols and we’re going to open up DNS. All right.
So from there will expand out for look up zones and we’ll go right here in whichever database we want to turn this on. I’m going to do this kind of dummy database that I did here.
So, I’m going to right click my demo DNS named Akam DaTabase, and I’m going to click DNS sec and then sign this. On that point, I can click next. And most people just go with the default parameters. If you want to do some, customizing you can, and customizing is just going to allow you to just like the type of encryption key and stuff for, for example, you’re going to be using what’s called a key signing key. This going to be a little encryption key that’s going to be used to essentially sign all keys that’ll be used in regards to this zone.
So you’ll notice there tells you that the KSK is an authentication key. It’s basically for authentication and generating other encryption keys. They tell you that typically the private key will correspond to a kiosk and it’ll sign other keys that can be generated for this database.
So this database is going to use multiple keys for signing things in. The KSK is going to be sort of like the master key. And so from there, you can choose the algorithm if you want. Most people go with RSA, SHA256 and then you use what’s called a zone signing key. They tell you that his own signing key is going to be an authentication key that’ll correspond to the private key used for signing the zone data itself.
OK, so, they tell you, typically your zone signing keys are just going to be what they’ll do. They’ll expire frequently, whereas the key signing key does not. And they can be changed out very frequently. And the reason why they get changed out frequently is because the longer a key is valid, the more likely that a hacker could discover it and then be able to cheat the system. All right.
So at that point, you choose the algorithm for that’s usually going to be RSA SHA256 as well, and then you got something called in sick. You can control insect is next secure. And this so that when somebody queries a database, basically the database, if the database doesn’t know something, know the answer to what’s being queried. This allows it to respond with a signed no response or no answer query, basically a way to respond and say, Hey, I don’t know the answer to what you’re wanting to do in the K. From there it does. What’s called a trust anchor, OK, trust anchor. These are a way for your essentially for your database to be able to do what are called rollover keys, and this to change our keys periodically. It’s going to use itself as a trust anchor and it’ll it’ll automatically update these based on a standards called the RC fifty eleven. You don’t really have to memorize any of the stuff. You take an exam. They don’t really get into you memorizing all the stuff here. But just to kind of mention, if you want to enable this, enable the distribution of trust anchors for the zone, you can have this information stored in Active Directory. It can replicate to all the other domain controllers running this database.
So, if I want, if I got more than one DNS database, I want all this to replicate. I could do this OK, and then I’ve got some intervals here I can. I can play around with and how frequently this things will get pulled for signatures and and all of that you can adjust the time to live on all that signature polling, not getting into all these intervals right now, but I’ll click next, click next. And then at that point, finish. And I’ve now officially signed the zone. If I refresh, you should see that all the records are now signed and that is how I can implement the in a sec. You can see a little lock symbol that shows up over it, that indicates that it is now signed.
So anybody querying this database from this point on is going to want to make sure that it has a signature. And that’s how you implement the NECEC.