Windows 7 and Server 2008 R2 Bring Us DNSSEC. Will We Use It?

Network security always seems to be driven by the latest "thing", whether that be a virus or a bot like conficker, or a technology like NAC (Network Access Control) that was in vogue was for several years. Security is hot technology and hot ulnerability/attack driven, at least that seems to be what gets all of the attention. Today's theme, at least as evidenced by the reporting from RSA, is cloud security. Expect that to continue for some time. But a technology that's been around a while is finally getting its due, and deservedly so... DNSSEC, thanks to Dan Kaminsky's Blackhat presentation last year.

If you aren't familiar with DNSSEC, simply stated, it's authenticated DNS... so the requestor knows the DNS response is coming from the requested server, not someone who's poisoned the ARP cache and redirected your request to do their bidding. 

Windows is catching DNSSEC fever too, in both Windows Server 2008 R2 and now Windows 7. Here's what a Windows 7 security whitepaper by Chris Corio on the Microsoft TechNet has to say about it.

DNSSec Validation

Over the past couple years, DNS-related exploits have become a more common problem on the Internet. There is a better understanding of how to poison DNS servers, and attackers are starting to make use of that information. What this means is that a user can potentially visit a Web site and not be absolutely sure that he isn't visiting a different, malicious Web site.

Windows Server 2008 R2 and Windows 7 introduce support for DNSSEC as per the current standards (RFC 4033, RFC 4034, and RFC 4035). Windows Server 2008 R2 will allow the DNS Server to provide origin authority and data integrity artifacts. Basically, a server will be able to attach digital signatures to DNS data in responses as well as validate data received from other DNS servers.

Windows 7 is the first client operating system to include the necessary pieces to allow the client to verify that it is communicating securely with a DNS server and verify that the server has performed DNSSEC validation on its behalf. This technology is currently being tested to ensure the maximum compatibility with current Internet infrastructure and aims to play a continuing role in securing DNS data in the future.

My question is, how likely is it that enterprises, medium or small businesses will deploy DNSSEC in their environments? DNSSEC appears to be getting its foothold at the highest levels outside the enterprise, such as in the federal government with .GOV, with .ORG and potentially with network providers. Until top level domains supported DNSSEC, it didn't necessarily make a lot of sense for individual companies to deploy it just for themselves - the domain spoofing and ARP poisoning attacks to-date haven't been severe enough.

Will the combination of DNSSEC's new momentum, plus support for DNSSEC in Windows 7 and Windows Server 2008 R2, be the right one-two punch combination? That I can't answer but it is at least significant in my book that support for DNSSEC is in a client like Windows 7.And kudos to Dan Kaminsky for evangelizing both the security issuse with DNS and the use of DNSSEC.

Microsoft's not making any definitive statements, with text like, "This technology is currently being tested to ensure the maximum compatibility...", but given Microsoft's direction to encrypt server connections across the LAN and WAN with DirectAccess (which requires IP-v6, btw), Microsoft could play an important role in someday increasing the use of DNSSEC in our IT shops. We'll have to see just how far away that day is.

Note: In the interest of full disclosure, one of the clients of my company, Converging Network LLC, is Secure64, a DNSSEC company.

Like this? Here are some of Mitchell's recent posts. Mitchell's Book Recommendations: Also visit Mitchell's other blogs and podcasts:

Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.