BIND9 TSIG from Windows Server 2016 DNS Server Zone

Thu May 26 06:07:42 UTC 2022

As far as I know, GSS-TSIG is only used for DNS updates, not zone transfers.

https://bind9.readthedocs.io/en/v9_16_5/advanced.html#dynamic-update

Sorry, don't know what capabilities AD has for securing zone transfers
beyond IP ACLs, which of course is not much security at all. I've never had
luck getting AD admins to offer anything better. I'm definitely no AD
expert myself.

One possibility of course is to secure at the IP layer, a.k.a. IPsec. You
could secure all traffic between the servers with transport mode AH. That
would probably blow some minds in your organization. There are many who
only know IPsec as encrypted tunnels, i.e. VPNs.

On Wed, May 25, 2022 at 3:38 PM Mirsad Goran Todorovac <
mirsad.todorovac at alu.unizg.hr> wrote:

> Dear all,
>
> I have a zone local.grf.hr administered by AD, DHCP and DDNS ran by
> Windows Server 2016
> (not by my architectural choice). However, since Windows Server 2016 had
> round-robin
> strategy of inquiring the forwarders, it performed worse than BIND9 on
> old Debian server.
>
> So, I had the BIND9 as the secondary server ("slave" is somewhat
> politically incorrect) and I
> wanted to secure transactions with TSIG HMAC-SHA256 or stronger, as
> between Debian
> BIND9 servers.
>
> I've been Googling around, and they say it cannot be done, because
> Windows Server uses
> special proprietary GSS-TSIG. The article was for an earlier version of WS.
>
> Has there been some improvement in the meantime?
>
> We are thinking about moving DHCP server to Linux, but it is a huge job
> to convert the
> reservations, so it may not be done in the next couple of months.
>
> I would like to secure DNS xfers from zone poisoning in the meantime,
> considering the recent
> surge of cyber attacks since the recent war started, and our country
> voted support for the
> defending party.
>
> Frankly, I am not in deep with Microsoft DNS, and I guess there can be
> some tweaking with
> the PowerShell, and maybe even some undocumented features, but right now
> I am presented
> with a problem I can't seem to solve because it is not an open system.
>
> Thanks for any help.
>
> Kind regards,
> Mirsad Todorovac
>
> --
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu
>
> --
> CARNet system engineer
> Faculty of Graphic Arts | Academy of Fine Arts
> University of Zagreb, Republic of Croatia
> tel. +385 (0)1 3711 451
> mob. +385 91 57 88 355
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220525/e9dde104/attachment.htm>