Audit DNS Entries

Auditing DNS entries is a fundamental practice for maintaining the security and reliability of any network. This chapter covers the essentials of authoritative nameservers, why they matter, how Ridgeback can help audit both forward and reverse DNS records, and guidance for setting up nameservers on Windows and Linux systems.

This chapter provides a foundation for auditing DNS entries with Ridgeback and configuring authoritative nameservers to support network reliability and security. This chapter is not meant to be a comprehensive treaty on DNS, but instead is something to get you started using DNS in your network.

Authoritative Nameservers

Definition: An authoritative nameserver holds the definitive records for a domain and responds to DNS queries with the most accurate information. Unlike caching or recursive nameservers that query other servers to resolve DNS requests, authoritative nameservers provide direct answers for domains they manage.

Types of Authoritative Nameservers:

Primary (Master) Nameserver: The main server that holds the original zone records for a domain.
Secondary (Slave) Nameserver: A backup server that obtains zone records from the primary server and can respond to queries if the primary server becomes unavailable.

Why Is an Authoritative Nameserver Important?

Authoritative nameservers play a critical role in DNS infrastructure:

Reliability: They ensure DNS queries—both forward lookups (A/AAAA) and reverse lookups (PTR)—are answered promptly and accurately, supporting the network’s reliability.
Security: Properly configured authoritative nameservers help prevent DNS-based attacks, such as cache poisoning, spoofing, and unauthorized reverse record tampering.
Compliance: Auditing DNS entries, including reverse zones, can help maintain compliance with security standards and regulatory requirements.
Redundancy: Secondary authoritative nameservers add a layer of resilience, ensuring domain availability even if the primary server fails.

Using Ridgeback to Audit DNS Records

Ridgeback offers powerful tools for auditing both forward and reverse DNS entries:

Identify Discrepancies: Ensure A/AAAA and PTR records align—no orphaned forward entries without matching reverse, and vice versa.
Detect Unauthorized Changes: Monitor for unexpected modifications to both forward and reverse zone files that could enable spoofing or mail-delivery issues.
Enhance Visibility: Gain insights into DNS resolution patterns, including applications relying on reverse lookups (e.g., mail servers, logging systems).
Strengthen Security Posture: Use metadata analysis to spot unusual reverse-DNS queries that may indicate reconnaissance or attack preparation.

How Ridgeback Works: Ridgeback collects and analyzes network traffic metadata—forward queries, reverse queries, and record changes—without storing actual packet contents. This allows administrators to validate that both forward and reverse DNS entries are functioning as intended and to spot anomalies efficiently.

Setting Up a Nameserver on Windows

Prerequisites:

Windows Server installed.
Access to Server Manager.

Steps:

Install the DNS Server Role
- Open Server Manager and navigate to Manage > Add Roles and Features.
- Select DNS Server and follow the installation prompts.
Configure the Forward Lookup Zone
- Open DNS Manager from Tools in Server Manager.
- Right-click Forward Lookup Zones and select New Zone.
- Choose Primary Zone, specify the domain name (e.g., example.com), and finish the wizard.
- Right-click your new zone, choose New Host (A or AAAA) to add host records.
Configure the Reverse Lookup Zone
- In DNS Manager, right-click Reverse Lookup Zones and select New Zone.
- Choose Primary Zone, select IPv4 (or IPv6), and enter your network ID (e.g., 192.168.1).
- Specify the zone file name (e.g., 1.168.192.in-addr.arpa) and finish the wizard.
- Right-click the new reverse zone and select New Pointer (PTR). Enter the IP’s last octet and map it to the hostname.
Verify Configuration
- Open PowerShell or Command Prompt and run:
```
nslookup 192.168.1.1
```
- Confirm it returns the correct PTR record.

Setting Up a Nameserver on Linux

Prerequisites:

A Linux server with root or sudo access.
Bind9 (or similar DNS server software) installed.

Steps:

Install Bind9
- Debian/Ubuntu: sudo apt-get install bind9
- CentOS/RHEL: sudo yum install bind

Configure the DNS Server

Edit /etc/bind/named.conf.local to add your forward and reverse zones:

zone "example.com" {
  type master;
  file "/etc/bind/zones/example.com.zone";
};

zone "1.168.192.in-addr.arpa" {
  type master;
  file "/etc/bind/zones/1.168.192.in-addr.arpa.zone";
};

Create the Forward Zone File

Path: /etc/bind/zones/example.com.zone

Contents:

$TTL 86400
@   IN  SOA     ns1.example.com. admin.example.com. (
              2023110601 ; Serial
              3600       ; Refresh
              1800       ; Retry
              604800     ; Expire
              86400 )    ; Minimum TTL
@   IN  NS      ns1.example.com.
ns1 IN  A       192.168.1.1
www IN  A       192.168.1.10

Create the Reverse Zone File

Path: /etc/bind/zones/1.168.192.in-addr.arpa.zone

Contents:

$TTL 86400
@   IN  SOA     ns1.example.com. admin.example.com. (
              2023110601 ; Serial
              3600       ; Refresh
              1800       ; Retry
              604800     ; Expire
              86400 )    ; Minimum TTL
    IN  NS      ns1.example.com.
1   IN  PTR     ns1.example.com.
10  IN  PTR     www.example.com.

Restart and Verify

Restart Bind9:
```
sudo systemctl restart bind9
```
Test forward lookup:
```
dig @localhost example.com A
```
Test reverse lookup:
```
dig @localhost -x 192.168.1.1 PTR
```

With forward and reverse zones properly configured—and Ridgeback’s auditing capabilities—you’ll maintain accurate DNS mappings, improve network security, and ensure seamless hostname and IP resolution across your infrastructure.