DNS devolution
What is the scope of the advisory?
This advisory provides
notification that updates are available that help define an
organizational boundary for systems that are domain joined but do not
have a DNS suffix list configured.
What is a top-level domain (TLD)?
The
top-level domain (TLD) is the last part of an Internet domain name.
These are the letters that follow the final dot of any domain name. For
example, in the domain name wpad.western.corp.contoso.co.us, the TLD is
".us". TLDs can be primarily split into two types: country code and
generic. Country code TLDs are two letter abbreviations for each
country. In this example .us is for United States. Generic TLDs are the
more traditionally recognizable three (or greater) letter abbreviations
such as .com, .net, .org, etc. For a full list of all available TLDs,
refer to the following list at IANA.What is a Primary DNS Suffix (PDS)?
This
is the domain name appended to the right of a computer's single label
host name. A fully qualified domain name (FQDN) can be defined as
.. By default, the primary
DNS suffix portion of a computer's FQDN is the same as the name of the
Active Directory domain to which the computer is joined. However, a
computer's PDS may be different than the DNS domain to which it is
joined when configured via the Properties dialog box from My Computer.What is a second-level domain (SLD)?
A
second-level domain (SLD) is a domain located directly "below" or to
the left of the TLD. In the previous example,
wpad.western.corp.contoso.co.us, the SLD is ".co". The most common
registration of SLDs is under country code TLDs. The United States
primarily uses the SLD for US state registration such as ".co.us" for
the state of Colorado for example. Non-US SLDs often reuse common TLD
names such as ".com.sg".What does the DNS devolution feature do?
Devolution
is a Windows DNS client feature. Devolution is the process by which
Windows DNS clients resolve DNS queries for single-label unqualified
hostnames. Queries are constructed by appending PDS to the hostname.
The query is retried by systematically removing the left-most label in
the PDS until the hostname + remaining PDS resolves or only two labels
remain in the stripped PDS. For example, Windows clients looking for
"Single-label" in the western.corp.contoso.co.us domain will
progressively query Single-label.western.corp.contoso.co.us,
Single-label.corp.contoso.co.us, Single-label.contoso.co.us, and then
Single-label.co.us until it finds a system that resolves. This process
is referred to as devolution.
This advisory provides
notification that updates are available that help define an
organizational boundary for systems that are domain joined but do not
have a DNS suffix list configured.
What is a top-level domain (TLD)?
The
top-level domain (TLD) is the last part of an Internet domain name.
These are the letters that follow the final dot of any domain name. For
example, in the domain name wpad.western.corp.contoso.co.us, the TLD is
".us". TLDs can be primarily split into two types: country code and
generic. Country code TLDs are two letter abbreviations for each
country. In this example .us is for United States. Generic TLDs are the
more traditionally recognizable three (or greater) letter abbreviations
such as .com, .net, .org, etc. For a full list of all available TLDs,
refer to the following list at IANA.What is a Primary DNS Suffix (PDS)?
This
is the domain name appended to the right of a computer's single label
host name. A fully qualified domain name (FQDN) can be defined as
DNS suffix portion of a computer's FQDN is the same as the name of the
Active Directory domain to which the computer is joined. However, a
computer's PDS may be different than the DNS domain to which it is
joined when configured via the Properties dialog box from My Computer.What is a second-level domain (SLD)?
A
second-level domain (SLD) is a domain located directly "below" or to
the left of the TLD. In the previous example,
wpad.western.corp.contoso.co.us, the SLD is ".co". The most common
registration of SLDs is under country code TLDs. The United States
primarily uses the SLD for US state registration such as ".co.us" for
the state of Colorado for example. Non-US SLDs often reuse common TLD
names such as ".com.sg".What does the DNS devolution feature do?
Devolution
is a Windows DNS client feature. Devolution is the process by which
Windows DNS clients resolve DNS queries for single-label unqualified
hostnames. Queries are constructed by appending PDS to the hostname.
The query is retried by systematically removing the left-most label in
the PDS until the hostname + remaining PDS resolves or only two labels
remain in the stripped PDS. For example, Windows clients looking for
"Single-label" in the western.corp.contoso.co.us domain will
progressively query Single-label.western.corp.contoso.co.us,
Single-label.corp.contoso.co.us, Single-label.contoso.co.us, and then
Single-label.co.us until it finds a system that resolves. This process
is referred to as devolution.
Q: What, exactly, is DNS name devolution? Are there any security risks linked to this DNS feature? Has anything changed in Windows 7 and Windows Server 2008 R2 to better protect my Windows platforms against these security risks?
A: DNS name devolution is a built-in feature of the Windows DNS Client. Users of Active Directory (AD)-joined computers can use DNS name devolution to connect to resources using an unqualified name, such as mailserver1, instead of using a Fully Qualified Domain Name (FQDN), such as mailserver1.emea.mydomain.net. Thanks to name devolution, the DNS client will automatically append portions of the AD-joined computer's primary DNS domain suffix (for example, "emea.mydomain.net") to the unqualified name during the DNS name resolution process.
For example, when a user on a computer that's a member of the emea.mydomain.net domain uses the resource name mailserver1, the DNS client will automatically try to resolve the mailserver1.emea.mydomain.net and mailserver1.mydomain.net FQDNs.
An important parameter in the DNS name devolution process is the devolution level. It refers to the number of labels in the primary DNS domain suffix at which the devolution process stops. Labels are the parts of a DNS name that are separated by dots. In the above example, emea, mydomain, and net are the three labels of the emea.mydomain.net domain suffix.
In Windows versions prior to Windows 7 and Windows Server 2008 R2, the DNS name devolution level is always two. This means that if you type mailserver1 and the primary domain suffix is france.emea.dc.net, the DNS client will first try to resolve mailserver1.france.emea.dc.net, then mailserver1.emea.dc.net, then finally mailserver1.dc.net. At this point devolution will stop, because only two labels—dc and net—are left.
The default devolution level of two creates a security risk. It may cause domain-joined computers to connect to a malicious computer on the Internet that's outside of the control of an organization's AD domain. Let me illustrate this with an example.
A domain-joined computer's primary domain suffix is mycompany.fl.us (mycompany is located in Florida, hence the extension fl.us) and tries to connect to mailserver1. In this example, the DNS client will try to resolve mailserver1.mycompany.fl.us and mailserver1.fl.us. The last name in this list, mailserver1.fl.us, is outside of the control of my company. If a malicious person has registered mailserver1.fl.us in the DNS, the name resolution will succeed, the domain-joined computer will try to connect to it, and the malicious user could spoof an internal server.
In Windows 7 and Server 2008 R2, Microsoft changed the default DNS devolution behavior such that it cannot cause an internal client to connect to an external computer. Microsoft also provides an update for older Windows platforms to bring the new DNS devolution logic to these older platforms. Microsoft offers more information on this fix.
The DNS devolution logic has changed as follows:
- If the number of labels in the AD forest root domain's DNS name is one or a machine's primary DNS suffix doesn't end with the forest root domain's DNS name, DNS devolution is automatically disabled. For example, if a computer is a member of the mycompany.com domain and the forest root domain name is mycompany.fl.us, devolution is disabled (mycompany.com does not end with mycompany.fl.us).
- If a machine's primary DNS suffix ends with the forest root domain's DNS name, the devolution level is automatically set to the number of labels in the forest root domain. For example, if the computer is a member of the research.mycompany.fl.us domain and the forest root domain name is mycompany.fl.us, the devolution level is set to three (which matches the number of labels in mycompany.fl.us).
You can enable name devolution from the DNS tab in the advanced properties of the TCP/IPv4 and TCP/IPv6 protocols of a Windows box's network interfaces. When you click Append primary and connection specific DNS suffixes and select Append parent suffixes of the primary DNS suffix, name devolution is enabled, as shown here.
You can also centrally configure name devolution with the following Group Policy settings, which are located in the Computer Configuration\Administrative Templates\Network\DNS Client GPO container:
- Primary DNS Suffix Devolution: This Group Policy Object (GPO) setting controls the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseDomainNameDevolution registry value.
- Primary DNS Suffix Devolution Level: This GPO setting controls the HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DomainNameDevolutionLevel registry value.
Comments