4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

7
Date: April 4, 2017 Author: Nedim Mehic

In our last 3 parts (Part 5, Part6 and Part7) of How to Deploy and configure DNS 2016
series we will focus on advanced DNS options.

Aging and Scavenging (Most often forgotten

configuration for a new DNS server)

DNS aging and scavenging is a mechanism to essentially get rid of records that have been
stale. As you can imagine, when you’ve got machines that are moving around, you’ve got
laptops that are coming on and off the network, well, that laptop, when it leaves the
network, sometimes doesn’t get the same IP address when it comes back on. The user
ends up being gone for a week or two, well, that laptop could probably get the next IP
address that your DHCP server can give to it. And so, with aging and scavenging, the first
half is aging where a dynamically updated DNS record is added to your DNS zone and is
added also with a time stamp. This time stamp is used to essentially put a time bomb on
that record so that the record can be removed after a certain period of time. The time
stamp then, the time bomb value, is reset anytime the record is created, when it’s modified
or when that record happens to be refreshed. And Windows hosts will refresh their records
during three events:

When they’re booted so at startup

Anytime there’s a DHCP lease renewal.
Every 24 hours.

and so what this does is it gives the records and the machines on the network the abilities
to keep that same DHCP address and that same DNS resolution as long as they’re
continually attached to your network. The machine has to be able to talk your DNS server
to go about refreshing the record. Now, when machines go off the network for extended
periods of time, we have to have some way to remove the record as well and that’s the
second half, the scavenging part of DNS aging and scavenging.

The scavenging actually is what removes the records, the stale records from your DNS
database and it uses two different intervals that are really important to understand so that
you know why these records are ending up disappearing out of DNS at what can seem to
be random periods of time.

The refresh interval is a period that if the client does not refresh it’s record by the end of
that period, the scavenging process removes the record. Now, the refresh interval by
default is seven days. So, at the end of seven days, if there’s no client around to refresh it’s
record or if the client’s powered off for that period of time, well, then the scavenging

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 1/9
4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

process is going to realize that that client doesn’t exist and remove the record out of DNS.
We, however, have to be careful about this removal of records because we don’t want to
go about removing records too quickly.

And so, there is also a no-refresh interval which is a period of time before the refresh
interval also about seven days by default where any client refreshes or simply ignored by
the server. So, every 24 hours, if that client happens to be online, the server will ignore the
refresh. This is done in order to reduce the amount of replication of DNS replication that
has to happen between different servers in the environment.

Picture 1

If the Non-Refresh Interval and the Refresh Interval are 7 days then a resource record is
considered as stale if not refreshed after 14 days.

Picture 2

If the Non-Refresh Interval and the Refresh Interval are 7 days then a resource record can
be refreshed after 7 days starting from the last refresh. Once done, a new Non-Refresh
Interval period will start.

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 2/9
4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

DNS aging uses the resource record timestamp to identify if it is stale or not.

We can distinguish between two types of resource records:

Resource records having a timestamp equal to zero (0): These are static records
and they never become stale

Resource records having a timestamp not equal to zero (0): These are dynamic
records and the time stamp represents the date and time of the last update done on
the record (For the time, it represents the hour of the last refresh / update)

Let’s see how we can configure this.

First we need to configure refresh interval for our dns server. Right-Click on your DNS
server and select Properties

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 3/9
4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

Select Advanced Tab and tick the Enable automatic scavenging of stale records box.
Click Apply and OK.

This is the first of the three settings that we need to take a look at.

With AD-Integrated DNS Zones, a single DNS server with DNS scavenging enabled
on it is enough to have the DNS scavenging properly done.

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 4/9
4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

Next we need to do is to right click on zone and select properties and make the
configuration again.

On the General tab, click Aging

Here we can set the further aging and scavenging properties. Tick the Scavenge stale
resource records box and adjust the settings if you need to. Click OK 2 times.

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 5/9
4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

You need to do this on all the different zones that you want to configure aging and
scavenging on.

If you right-click on DNS server you will see the option to set the Aging and Scavenging for
all zones. You might be kind of careful with this one if only because sometimes you end up
with zones that you might not necessarily want aging and scavenging turned on, as I said,
aging and scavenging are designed for zones where there’s a lot of dynamic stuff going on,
clients that are coming in and out of the network, laptops and devices and so on.

Manually Scavenge stale records

There is an option to manually scavenge stale records and to do it you would need to right-
click on dns server and select Scavenge Stale Resource Records

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 6/9
4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

Convert Static record to a Dynamic one

If I needed to take a static record and make it dynamic (vice versa), make it part of this
aging and scavenging thing that I’ve turned on, the way in which I do that is simply is by
coming back here to the static record and selecting the box to delete the record when it
becomes stale. If you don’t see this option go to View –> Advanced

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 7/9
4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

CONFIGURE DNSSEC (DNS Security)

When you type your bank’s website into your browser at some point your browser, or your
computer, basically, goes off to a DNS server and says, “Here’s my bank’s website. “Give
me the IP address of that website.” Your browser then reaches out to that IP address, gets
your bank’s website data, pulls it on, and you perform your transactions. But if you think
about it, there’s a bit of a problem there. That is that you type in your bank’s website, and
then the DNS servers somewhere goes and translates that website into that IP
address. How do you know that the IP address that the DNS server’s giving you back
is actually your bank’s website?

What if you could come up with a way of having a DNS server lie to you? So, this is sort of
what the core idea of DNSSEC is; it’s a way to verify what you get back from a DNS server.
In fact, it’s verified using cryptographic techniques, which means that everything that you
get back, not only do you get a response, you get assigned a bit of cryptographic code that
says, “This is legit.” So, what happens is that when you configure DNSSEC, a DNS server
with what’s called a signed zone sends a DNSSEC record to validate the response to the
query.

So, what DNSSEC does is it protects against things like package interception. Someone
spoofing and sending you a DNS response, and putting DNS data in your cache that’s
illegitimate. It stops what’s called a monkey in the middle attack where you’re getting bad
data from someone intercepting your traffic. It stops spoofing where someone may have
compromised the DNS server that you’re using

Why would you use it?

We need to actually have ways of verifying some of these core bits of infrastructure, and
DNSSEC is a way of doing it. It’s a way of making sure that when you query a DNS record,
you can trust the result you get back.

There are 4 main components of DNSSEC

TRUST ANCHOR – it’s a special cryptographic key that’s associated with a zone.
And this special key is used to validate resource records. So, think of it as like
almost a root CA for a zone. You trust the record because you already trust the trust
anchor. So, the trust anchor’s sort of the root of your trust, and that’s why we call it a
trust anchor, it’s a top. You trust the trust anchor, and then you’ll trust anything that’s
authorized by the trust anchor. A trust anchor can be stored in Active Directory, and
it can replicate out to all DNS servers, or DCs in a forest. It can also be imported on
any standalone DC.

KEY MASTER – when you deploy DNSSEC in your environment, what you need is
a key master; and, basically, a key master is someone that goes and creates keys.

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 8/9
4/9/2019 How to Deploy and configure DNS 2016 – (Part5) – Nedim's IT CORNER

And it’s a special DNS server that generates and manages the signing keys for
DNSSEC protected zones. You can have one DNSSEC key master in your
organization, and a single DNS server can be the DNSSEC key master for multiple
zones. That’s not a problem. Just remember once you go and implement this sort of
stuff, you do want to back this up. And this is one of the advantages of running this
on an Active Directory domain controller because all of these keys, basically, get
backed up to Active Directory automatically.

KEY SIGNING KEY (KSK) – The KSK is used to sign all DNSKEY records at the
zone’s root. And you create the KSK using the DNSSEC key master. So, when you
first go and deploy DNSSEC in your environment, you set up a key master and then
from that point the key master goes and creates the KSK.

ZONE SIGNING KEY (ZSK) – The key master also can create the ZSK. ZSK is for
signing all zone data, including individual resource records other than the DNSKEY
records. And, as I said, you create the ZSK using the DNSSEC key master.

Next thing that we need to understand is the DNSSEC Record Types

RRSIG – this is a resource record signature. So, if you have A records, you have quad-A
records, MX records etc. Each RRSIG record matches and provides a signature for an
existing record in a zone. So, for every record you’ve got in your zone, they’ll be a
corresponding resource record signature

NSEC (Technology) – NSEC is a very basic system that provides nonexistence of a

record, and it protects against spoofing attacks. Basically, what some people do is they go
and create records that don’t actually exist in a zone so that they can never have them
checked against anything else. What an NSEC record does is when you go and query the
zone, it says, “Actually, this record does not exist.” And that actually does provide useful
information in terms of securing DNS

NSEC3 (Technology) – The more recent version, or the upgraded version, is NSEC3. And
it’s a replacement that prevents what’s called zone walking, where someone might actually
go in and try and fingerprint, or footprint, or get an idea of every record that exists in the
zone. Zones can be either signed with NSEC or NSEC3, and you, basically, should use the
newer one; but you can’t use both.

NSEC3PARAM – specify which records will be included in a response from the DNS
server for names that don’t exist.

DNSKEY – this stores the public key used to verify a signature. It may store the public KSK
and ZSK keys.

https://nedimmehic.org/2017/04/04/how-to-deploy-and-configure-dns-2016-part5/ 9/9