Category Archives: DNS

Secure Your DNS Traffic with the outside world

DoH in Microsoft Windows OS

Until this moment Microsoft Windows OS doesn’t support DNS over HTTPS, The feature will most likely be implemented in future builds but no body knows when is that however, You can still take a peak into the feature which is in preview mode/

No alt text provided for this image

Benefit of using DoH on an OS level

The benefit of using DoH on an Operating System level would provide more certainty that your DNS queries leave your computer without being read by any other party even if that is your ISP.

A simple DNS nslookup query using Wireshark on your computer would show you how serious this topic is. After installing Wireshark you’ll be able to see that all of your dns queries are in clear text and can be read by anyone until it gets to the destination website/server.

Demonstration of DNS lookup without DoH

After installing Wireshark, I fire up Powershell or CMD and try to nslookup google.com and it’ll show what I just queried for.

No alt text provided for this image

So how to make sure that your DNS queries don’t leave your computer in clear text format? and since Microsoft OS is not DoH ready yet what can you do?

In my case, I am already using encrypted DNS on firewall level as I have Pfsense acting as a router and it already supports DoH but still not pretty satisfied :).

DNSCrypt as a solution

Since the foundation of DoH I have been looking for a solution that would work on Microsoft Windows OS and luckily someone already created this great project called Simple DNSCrypt which not just enables the encryption of DNS queries on your OS but also enables this to work as a service.

No alt text provided for this image

Installing DNSCrypt would create a Windows based Service which would start automatically when your OS boots and logs into Windows.

The service is called DNSCrypt Client Proxy

Add alt textNo alt text provided for this image

DNSCrypt has a simple interface, You can pick up the DNS Server where to forward queries to and it works with proof.

Right after the installation of this tiny app, launch it as an administrator and configure it as in the below screenshot. You can choose to install the service or not.

Add alt textNo alt text provided for this image

Right after you enable it (By clicking on your Network Card box) that will start protecting your DNS queries. Let’s go ahead with a little demo

I am going to start Wireshark after enabling DnsCrypt and do a google dns lookup , As you can see below on wireshark it’s not returning any dns queries.

No alt text provided for this image

When you install Simple DNSCrypt it changes your Preferred DNS configuration to localhost so that all queries is passed through the app in DNS over HTTPS which doesn’t allow even Wireshark to see it as DNS.

So that makes it pretty secure and not even your firewall will see it.

If you have any question please don’t hesitate to ask me

Official DNScrypt website https://simplednscrypt.org/

Support the project founder https://github.com/bitbeans/SimpleDnsCrypt

Migration Computer with ADMT gives an error Logon Failure: The target account name is incorrect

If you’re doing a Cross Forest migration project then you most likely have had a big experience but the more you do those kind of projects the more you’ll see different types of errors and issues rising up.

One of the issues I had in one of the cross forest projects that I have done before was the following error

clip_image001

To start troubleshooting, we’ll start by ruling out the following main causes.

  1. Checked DNS.
  2. Checked relative services (Netbios, RPC, Computer browser ..etc)
  3. Checked firewall (Kaspersky and windows) and closed them both.
  4. Checked connected DC and changed it to a different one.
  5. Checking DCs / Frs (File repliation service) replication and health.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server smart0188$. The target name used was RPCSS/Smart0248.smartmoss.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SMARTMOSS.LOCAL) is different from the client domain (SMARTMOSS.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Suppose you have a domain member named DOMAINMEMBER. You can reset the member secure channel by using the following command:

NETDOM MEMBER \\DOMAINMEMBER /JOINDOMAIN

From <https://support.microsoft.com/en-us/kb/175024/>

You can run the command above on the member DOMAINMEMBER or on any other member or domain controller of the domain, provided that you are logged on with an account that has administrator access to DOMAINMEMBER.

The output received from the command should be similar to the following:

Searching PDC for domain DOMAIN …
Found PDC \\DOMAINPDC
Querying domain information on PDC \\DOMAINPDC
Querying domain information on computer \\DOMAINMEMBER
Computer \\DOMAINMEMBER is already a member of domain DOMAIN.
Verifying secure channel on \\DOMAINMEMBER
Verifying the computer account on the PDC \\DOMAINPDC
Resetting secure channel …
Changing computer account on PDC \\DOMAINPDC
Stopping service NETLOGON on \\DOMAINMEMBER …. stopped.
Starting service NETLOGON on \\DOMAINMEMBER …. started.
Querying user groups of \\DOMAINMEMBER
Adding DOMAIN domain groups on \\DOMAINMEMBER

The computer \\DOMAINMEMBER joined the domain DOMAIN successfully.

Logoff/Logon \\DOMAINMEMBER to take modifications into effect.

From <https://support.microsoft.com/en-us/kb/175024/>

Solution 1-

nltest.exe can be used to check the channel and attempt to reset it.

nltest.exe /sc_verify:smartmoss.local

If that does not do it, you can restart the netlogon service (I mainly use PowerShell, so I’ll give an example of that).

Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>

I ran the nltest command after restarting the service to validate that the secure channel was back in operation.

If you’ve made some network changes (IP Addresses, changing hardware, virtualizing, etc..) you might want to flush your dns cache and clear your arp table before running the above commands.

ipconfig /flushdns
arp -d *
Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>

Let’s try to find out which DC the client is connected to

nltest /dsgetdc: Dc.local

Point the client to a different DC

nltest /Server:client0 /SC_RESET: DC.Local\DC02

Testing tool

Checked the following tool

http://www.lansweeper.com/kb/2/The-RPC-server-is-unavailable.html

Checked the services RPC, computer browser,

Solution 2-

There is a bug in MS after 400 days of uptime that they don’t tear down their time_wait connections so the server runs out of sockets and can’t make connections to the DC – a reboot should fix this issue temporarily.

From <http://community.spiceworks.com/topic/218426-there-are-currently-no-logon-servers-available-to-service-the-logon-request>

net stats srv

clip_image002

clip_image003

DOT/H Google Launches Secure DNS but not supported by Chrome yet

You might have heard that very recently Google has launched their DNS over TLS which is based on their Google Public DNS service the most commonly used DNS recursive resolver worldwide.

In a statement Google published the following article

https://security.googleblog.com/2019/01/google-public-dns-now-supports-dns-over.html

 

Google Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries can expose sensitive information, the domains you lookup via DNS can also be sensitive. Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity.

 

(DOH) Support for Google Chrome

Although the service is now available however, you still can’t use it on your Windows 10 OS since Microsoft didn’t add the support yet. Linux OS like Ubuntu supports DOT.

 

Alternative Browsers with DOH support

Firefox’s Nightly browser which is dedicated to power users or developers already have the support for DNS over HTTPS (DOH) and upon testing it I could clearly see no indication of any plain text in my wireshark traffic for the websites that I have visited.

I used Godaddy.com as an example to see if whether Wireshark would show the requested website in the DNS filtered traffic. Using Firefox Nightly, didn’t show any DNS result in Wireshark.

image

 

Checking result with Chrome

visiting Godaddy.com on Chrome gave a different result. Here everything is clear text. Although I am using Simple DNScrypt app but still exposes the DNS traffic.

image

 

Even if I changed the DNS settings on my NIC to 1.1.1.1 (cloudflare’s DOT) it would still show the result on Wireshark.

 

image

 

On November 3rd 2018, Chromium released the following article stating:

 

Add DoH UI setting. This CL adds a UI setting allowing users to enable DNS over HTTPS (DoH). Users may select a DoH server from a dropdown menu of preapproved options or enter a DoH server of their choosing. Bug: 878582 Test: out/Default/chrome –enable-features=”SecureDnsSetting” Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: I1138c3b8e77aea10a0d4e8a542b889a285a1a492

 

How to secure your Windows 10 ? 

Lots of tools out there that support Dns over TLS, one of them is dns simple DNSCrypt which uses the protocol dnscrypt. The application can be used temporarily or as a service. 

Windows 10 

I have installed the tool on my Windows 10 as a service and ran a test to see if resolving Google or any other domain would come as clear text but result was negative. 

The app uses various range of DNS recursive resolver services like Google, Cloudflare, Freesta… etc 

To Encrypt your DNS traffic, use Simple DNSCrypt

How I configured my own name server (Public DNS) on Pfsense





To configure your own nameserver, first you must have a public domain (domain.com) ..
In this example I will register a free domain from this registrar: www.freenom.com
The process for registration is pretty simple, you will have to follow the wizard and validate your email then sign in to your portal to edit or configure your free domain.
I have already added a new domain for myself which is called ( moh10ly.cf )
clip_image001
To configure name servers, You must fulfill the following prerequisites:

  1. Public static IP.
  2. DNS Package on Pfsense
  3. Firewall that supports static NAT.

Next step: I will click on Manage domain to change the DNS configuration to point it to my own name server
clip_image002
When you get the following window, click on Management tools and choose “Register glue records”
clip_image003
Very important note:
Next add your Name servers (They don’t need to exist as we will create them later) but you will have to create 2 at least and you can point them to the same Public IP address.
clip_image004
Scroll down and you will find an option to add the second dns, you can call it dns2 and point it to the same IP address.
Next save changes, then click on Management tools –> Name Servers and there if you couldn’t find the new name servers you have configured then enter them here.
clip_image005
Save changes again
Now let’s go on Pfsense and setup our Public DNS (Name Server), You will have to go to “System>Packages>Available Packages” and there download “dns-server” or “TinyDns”
clip_image006
When you have finished installing TinyDns you will find it under “Services” menu. Click on it
Once you are there, click on “Settings tab” and on the binding IP address place your Public IP which you’ll use for the name servers. And make sure you use the WAN NIC to listen on.
clip_image007
Save and click on the “New domain wizard” to setup your domain
clip_image008
Click Next
clip_image009
On the next window configure your domain as in the following, make sure that it matches your configuration on registrar’s domain.
clip_image010
Click Next and Finish
Once finished, go to the Add/ Edit record tab and there you will find 4 created records
clip_image011
Next create the root DNS record which is . And point it to the same public IP and any other records that you might have an installed role for like Exchange, IIS ..etc
clip_image012
Now it’s time to configure the firewall to allow inbound queries on port 53. here’s the rule that I have created under (FirewallRules) because I have only one Public IP address on WAN I won’t use a static NAT rule.
clip_image013
I will go back to TinyDns on Pfsense to see the incoming requests for name resolving from public clients.
Under the logs tab I could see the requests I was making from my PC using google as my DNS.. So everything works fine.
clip_image014
That’s it, the configuration of your own Name server is done. Smile

del.icio.us Tags: ,,,