A small DNS experiment.

Mar 8, 2013 | Server administration, Technology, Uncategorized, Windows | 0 comments

I was board for a minute and I thought to myself; wouldn’t it be cool to have DNS records that were required for administrators hidden from the rest of the company? OF course, it is an add on to the not so useful security through obscurity policy that a lot of companies develop but it would be an interesting exercise none the less. So, I thought to myself, hey active directory is integrated with DNS so maybe if I set permissions on a test zone to limit access I’d be able to verify my theory that DNS addresses could be hidden to users based on their group membership.

So this is what I tried:

  1. Create a zone in DNS.
  2. Create a record in that zone.
  3. Set permissions on that zone and the record so that a test user didn’t have access to it.
  4. block inheritance so that permissions provided to the parent zone wouldn’t be propagated to my new test zone.
  5. Open up a command prompt with the credentials of the test user so that only the authorizations provided to that test user is provided.
  6. Run nslookup
  7. Use the server you want to query. Type

    server 123.123.123.56

    replacing the IP with the IP of your DNS server.

  8. Look up the address to your new A record located within your test zone.

    blah.blah.local

That’s about it. I proved to myself that when your client looks up an address from DNS it doesn’t pass any security credentials. Or more accurately, the server side doesn’t respect any credentials that may or may not be passed to it. The permissions are set on the records to delegate permissions on an administrative level.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.