Securing DNS (DNSSEC, DoH, LLMNR, NetBIOS, LMHOSTS) [Windows Server 2019]

Introduction

This tutorial will guide you through securing DNS in your home or work environment using Windows Server 2019. We will cover client-side security measures, enabling DNS over HTTPS (DoH), disabling vulnerable protocols like NetBIOS, and implementing server-side protections, including DNSSEC.

Chapter 1: Enable DNS over HTTPS

To enhance your DNS security, enabling DNS over HTTPS is essential. Follow these steps:

1. Open PowerShell as Administrator.

2. Create and run the following commandlet to enable DoH:

   Enable-DoH -Restart
   

   • Restart: This switch will restart the computer after setting the configuration.
   • Undo: This will delete the registry value if you decide to disable it.

3. Check the Registry:

   • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Cache\Parameters.
   • Ensure the EnableAutoDoH DWORD value is set to 2, indicating that DoH is enabled.

4. Browser Settings:

   • Firefox: Go to Options > Search for DNS > Click on Settings and ensure it is enabled.
   • Chrome: Navigate to chrome://flags and search for DNS. Enable the appropriate flags for DoH.

Chapter 2: Disable NetBIOS Traffic

NetBIOS can expose your network to unnecessary risks and traffic. Here's how to disable it:

1. Open Control Panel.
2. Go to Network and Sharing Center.
3. Select your Network Interface Card (NIC) and go to Properties.
4. Select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.
5. Click on Advanced and then the WINS tab.
6. Disable:
   • LMHOSTS lookup.
   • NetBIOS over TCP/IP (set to Disable).
7. Click OK to apply the settings.

Chapter 3: Configuring Group Policy for Domain Environments

If you're managing a domain, you'll want to ensure these settings are applied across all computers.

1. Create a Startup Script:

   • The script should disable NetBIOS and LMHOSTS. Use the following Powershell commands:

   Set-NetBIOS -NetBIOS 2  # 2 means disabled
   Set-LmHosts -Enabled $false
   

   • Save this script in the Domain Controller's Netlogon share.

2. Code Signing:

   • Ensure that your startup script is signed to prevent unauthorized modifications. Set the execution policy to RemoteSigned.

3. Use Group Policy:

   • Navigate to Computer Configuration > Policies > Windows Settings > Scripts.
   • Add your startup script here.

Chapter 4: Implementing DNSSEC

To protect against DNS impersonation and ensure data integrity, implement DNSSEC.

1. Open DNS Manager on your Domain Controller.

2. Right-click on your forward lookup zone and select DNSSEC > Sign the Zone.

3. Choose Key Length:

   • Set the key length to 2048 bits for both Key Signing Key (KSK) and Zone Signing Key (ZSK).

4. Enable Trust Anchors:

   • Check the box for the trust anchor to ensure DNSSEC records can be passed to other DNS servers.

5. Group Policy for Clients:

   • Edit the Default Domain Policy under Policies > Windows Settings > Name Resolution to enable DNSSEC validation for clients.

Conclusion

By following these steps, you can significantly enhance the security of your DNS configuration in both home and work environments. Key takeaways include enabling DNS over HTTPS, disabling vulnerable protocols like NetBIOS, and implementing DNSSEC for data integrity. For further improvements, consider regular audits of your DNS settings and staying updated on security best practices.