Delegation of Control of DNS Zone Administration

Overview

Members of the built-in DNSAdmins security principal in an Active Directory domain are granted following default permissions: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.

In a large organization, there may be a need to delegate control of the DNS Zone Administration to regional or branch office network administration groups or to the SOC team, who may have to create honeypot DNS entries. This article outlines one possible way to configure the delegation.

For this illustration, the regional network administration team is assumed to be located in the APAC region and create their first Active Directory integrated DNS Zone called lazydog.com

Procedure

In order to keep the default Active Directory permissions on the defaultNC or the DomainDNSZones partition intact and to delegate control of DNS Zone Administration, this procedure requires the creation of a custom application partition.

The application partition can be replicated to all the domain controllers in the domain or to specific number of domain controllers. For fault tolerance purposes, it is recommended that the replica set spans at least two domain controllers. One of the replica can be on a DC in the region or branch office and the other replica can be on DCs in other regions or in the central office.

Technical Details

1. Create custom Application Partition for DNS

Note: You will need domain admin rights in the forest root domain to perform this task.
  • Log into a domain controller in the child domain with Domain Admin account.
  • Launch command prompt.
  • Using RUNAS, change user context to forest root Domain Admin account
  • Using DNSCMD.EXE, create custom application partition for the specific purpose of DNS. For this lab exercise, we will use the FQDN apDNSAPAC.win.
Note: It is not necessary to have the DNS namespace of the custom application partition in the same DNS domain hierarchy as any one of your current DNS domains. The name apDNSAPAC.win is generic and will work in almost all cases.

dnscmd %computername% /createDirectoryPartition apDNSAPAC.win

  • Add at least one more domain controller to the replica set

dnscmd [nextDCinDomainFQDN] /enlistDirectoryPartition apDNSAPAC.win

Note: You can also create the application partition and add replicas using NTDSUTIL command. The container CN=MicrosoftDNS is created only when the first DNS Zone is hosted in the newly created application partition.  With DNSCMD, the container is created immediately.
  • Review replica set

dnscmd %computername% /DirectoryPartitionInfo apDNSAPAC.win

  • Ensure Replica count is greater than 1.
  • Launch LDP.EXE or other LDAP browser of your choice to confirm you can connect to the base DN of the newly created application partition. The container CN=MicrosoftDNS,DC=apDNSAPAC,DC=win should be listed in list of partitions that are hosted on the DC.
  • Exit out from the command prompt running as forest root Domain Admin

2. Create forward lookup DNS Zone for the custom Application Partition

  • Log into a domain controller in the child domain with Domain Admin account.
  • Launch command prompt.
  • Using RUNAS, change user context to forest root Domain Admin account
  • Launch DNSMGMT.MSC
  • Select current DNS Server
  • Select Forward Lookup Zone
  • Right mouse click and select New Zone
  • Select type of zone as Primary Zone
  • Check Store the Zone in Active Directory
  • For Replication Scope, select To all DNS Servers running on domain controllers in this domain:
  • Next type DNS Zone name as apDNSAPAC.win
  • For Dynamic Update option, select Allow only secure dynamic updates.
  • If you setting up Delegation of Control for DNS Sinkhole purposes or other special purposes, select Do not allow dynamic updates
  • Click on Finish button to commit the settings
  • Close DNSMGMT.MSC
  • Exit out from the command prompt running as forest root Domain Admin

3. Create Active Directory Security Group in a child domain

The security group created in this step will be granted following permissions (1) Create / Delete DNS Zone in custom application partition (2) Manage records in the newly created DNS Zone.

  • Log into a domain controller with Domain Admin account.
  • Launch DSA.MSC
  • Create a security group.
For this lab exercise, create a security group called APAC Region DNS Zone Administrators. The location of the group in the domain does not matter.
  • The security group type can be Domain Local Group or Domain Global Group, as it suits your environment.
  • Add members to the newly created security group.
  • Close DSA.MSC

4. Configure Permissions on CN=MicrosoftDNS Container

  • Log into a domain controller in the child domain with Domain Admin account.
  • Launch command prompt.
  • Using RUNAS, change user context to forest root Domain Admin account
  • Run following two commands
Grant Read permission on the custom Application Partition to the APAC Region DNS Administrators security group.

dsacls “\\%computername%\DC=apDNSAPAC,DC=win” /grant “[childDomainFQDN]\APAC Region DNS Zone Administrators”:GR;;container /I:S

Grant Create Child & Delete Child permissions on the MicrosoftDNS container to the APAC Region DNS Administrators security group.

dsacls “\\%computername%\CN=MicrosoftDNS,DC=apDNSAPAC,DC=win” /grant “[childDomainFQDN]\APAC Region DNS Zone Administrators”:CCDC;dnsZone;

 

5. Create your first DNS Zone

Note: The following task does not require elevated privileges or interactive login to any domain controller.
  • Select a domain computer on your network that has RSAT for Windows already installed.
  • Using your domain account that has membership in the newly created security group i.e. APAC Region DNS Zone Administrators, log into the domain computer
  • Launch command prompt.
  • Run following two commands to create your first DNS Zone in the custom application partition. For this lab exercise, the new DNS Zone will be called lazydog.com
Create DNS Zone lazydog.com in apDNSAPAC.win

dnscmd apDNSAPAC.win /zoneAdd lazydog.com /DsPrimary /Dp apDNSAPAC.win /a support@synergix.com

Optionally, configure Dynamic Update. Following command with the /allowUpdate 0 parameter sets Dynamic Updates to None.

dnscmd apDNSAPAC.win /config lazydog.com /allowUpdate 0

6. Update Permissions

In order for the newly created security group APAC Region DNS Zone Administrators members to have rights to manage DNS Zone, you must grant appropriate permissions on the container object dnsNode

  • Select a domain computer on your network that has RSAT for Windows already installed.
  • Using your domain account that has membership in the newly created security group i.e. APAC Region DNS Zone Administrators, log into the domain computer
  • Launch command prompt
  • Run following commands to update permissions.
Grant Create Child & Delete Child permission on object type dnsNode

dsacls “\\apDNSAPAC.win\DC=lazydog.com,CN=MicrosoftDNS,DC=apDNSAPAC,DC=win” /grant “%userDNSDomain%\APAC Region DNS Zone Administrators”:CCDC;dnsNode;

Grant Create Delete Subtree permission on newly created DNS Zone

dsacls “\\apDNSAPAC.win\DC=lazydog.com,CN=MicrosoftDNS,DC=apDNSAPAC,DC=win” /grant “%userDNSDomain%\APAC Region DNS Zone Administrators”:SD;; /I:T

Grant Write Property permission on dnsRecord, dnsProperty and dnsTombstoned attributes of the object type dnsNode

dsacls “\\apDNSAPAC.win\DC=lazydog.com,CN=MicrosoftDNS,DC=apDNSAPAC,DC=win” /grant “%userDNSDomain%\APAC Region DNS Zone Administrators”:WP;dnsRecord;dnsNode /I:S
dsacls “\\apDNSAPAC.win\DC=lazydog.com,CN=MicrosoftDNS,DC=apDNSAPAC,DC=win” /grant “%userDNSDomain%\APAC Region DNS Zone Administrators”:WP;dnsProperty;dnsNode /I:S
dsacls “\\apDNSAPAC.win\DC=lazydog.com,CN=MicrosoftDNS,DC=apDNSAPAC,DC=win” /grant “%userDNSDomain%\APAC Region DNS Zone Administrators”:WP;dnsTombstoned;dnsNode /I:S

Configure Start of Authority record values

dnscmd apDNSAPAC.win /recordAdd lazydog.com @ SOA %dnsServer% support.synergix.com. 1 900 600 604800 3600

Revoke permissions from Authenticated Users and current user.

dsacls “\\apDNSAPAC.win\DC=lazydog.com,CN=MicrosoftDNS,DC=apDNSAPAC,DC=win” /R “Authenticated Users”
dsacls “\\apDNSAPAC.win\DC=lazydog.com,CN=MicrosoftDNS,DC=apDNSAPAC,DC=win” /R “%username%”

7. Create DNS Records

This step illustrates the setup of a DNS Sinkhole.  Use an IP address of honeypot server that suits your environment.
  • Select a domain computer on your network that has RSAT for Windows already installed.
  • Using your domain account that has membership in the newly created security group i.e. APAC Region DNS Zone Administrators, log into the domain computer
  • Launch command prompt
  • Run following commands to create DNS Record
Use @ to block or to redirect the domain lazydog.com

dnscmd apDNSAPAC.win /recordAdd lazydog.com @ A 127.0.0.1

or

Use * to block or redirect all the names in the domain lazydog.com

dnscmd apDNSAPAC.win /recordAdd lazydog.com * A 127.0.0.1

 

  • Launch DNSMGMT.MSC
  • Select or Add DNS Server apDNSAPAC.win
  • Expand Forward Lookup Zone
  • Select DNS Zone lazydog.com
  • View DNS Records
  • Confirm the DNS Record @ ( parent folder ) is created and has target IP address set as 127.0.0.1
  • Close DNSMGMT.MSC

8. Summary

As mentioned at the beginning of this article, this is one method we have come up with for Delegation of Control of the DNS Zone Administration task. May be there are other better ways of implementing the same. Your comments will be greatly appreciated.

The solution proposed in this blog may be implemented to setup DNS Sinkhole, however, it is limited to on-premises network. For scenarios that deal with corporate devices operating on untrusted networks such as at home, coffee shops, airport lounges, etc. please consult with our pre-sales team to discuss how Synergix Active Directory Client Extensions or ADCE can help.

Leave a Reply