Question

1. What is DNS cache locking, and what does it prevent?

2. How does a system administrator enable scavenging?

3. How are a stub zone records updated if the stub zone is Active Directory integrated?

4. What does the Windows Server 2016 feature "DNS Policy" allow an administrator to manage?

5. How does DNSSEC use zone signing to help secure zones?

Answer 1

DNS cache locking:-

To mitigate the risks in windows Server 2016 you can use DNS cache Locking to determine when information in the DNS resolver cache can be overwritten. when you enable cache locking,The DNS server doesn't allow updates to cached records until the TTL is expired...!

cache locking is a windows server 2016 feature that allows you to control securely,when information in the DNS resolver cache can be overwritten. when recursive DNS server responds to a query, it catches the result,to respond quickly to another query which is requesting same information.

this feature protects / prevents DNS cache records from DNS cache poisoning attacks caused  by malicious users.and it's configured in percentanges....!!!

DNS Scavenging:-

it's a process of removing outdated DNS records, by looking at timestamps it will remove the DNS records. DNS Scavenging is not configured default and these records will removed in 14 days.Scavenging can be set in 3 areas 1) Individual Record ,2)Zone and 3) Server.

Scavenging on Zone:- Click on Server Manager > Tools > DNS > Right Click on Zone you want > click on properties > check the scavenge stale resource records.

Scavenging on DNS Server:- Server manager > tools > dns > right click on dns server >click on properties > enable automatic scavenging of state records. and by typing dnscmd.exe you can verify the scavenging....!

Stub Zone:- it's a copy of DNS zone which contains only a resource records which csn identify the dns servers for that zone. and we can add forward or reverse lookup zone. and we can add an active directory-integrated zone too.it contains SOA and NS records(Start of authority and name server. The ip address of one or more master servers can be used to update the stub zone.

DNS policy can be used to control the dns server processes name resolution queries based on policies you defined..admin can use this to allow primary and secondary dns servers to respond to client queries which is dns client queries based on their location of the client and the resource of which the client is trying to connect. and can manage the dns responses based on the time of day and by applying filters on dns queries. we can use dns policy like forensic like, we can redirect hacker or any malicious users or dns clients to a non existing ip address.

DNSSEC (the domain name system security extensions) can protect the internet from forged dns data by using digital signature, and public key cryptography to validate it at it's destination and arriving at the zone. Here.Each zone will have a pair of private and public keys. and this zone's public key is published by using dns, while other side, the private key of zone's is kept safe and that could be stored offline. A zone's private key signs individual dns data in that specific zone, creating digital signtaures which are also published with dns..