First of all, thank you very much for your valuable sharing. I have a few questions, I would be very grateful if you could answer them. We have a firewall in the environment that performs SSL\TLS inpsection. Do additional security parameters such as DNSSEC, DOH DOT create an obstacle for reporting on the firewall or the implementation of additional security measures, I mean, do these measures allow DNS tunneling attacks such as DNS OVER TCP? External requests to the DNS server in the environment will be forwarded to the provider that will support the dot doh method instead of the standard forwarder zone dns server for all users. Is internet access stopped if users try to disable dot in browser or windows? i.e. is it possible to prevent it from absolutely accessing the internet without using doh dot?
Thanks for watching! Yes but no. DNSSEC adds a layer of integrity to DNS requests. Yes this will prevent DNS tunneling, cache poisoning, hijacks, and DNS spoofing. The limitation here is that you can only manage DNSSEC for your domain and you are reliant on other organizations for theirs and you can not force clients to use only DNSSEC lookups. You could tell your DNS server to drop any requests not signed with DNSSEC. Most servers on the internet are not using DNSSEC and this could be problematic. I have never configured this so I am not 100% sure it is possible. It sounds good on paper. DoH and DoT is more about privacy than anything else. It will prevent MITM attacks from modifying DNS requests if the attacker does not have the certificate key for the TCP connection. Ill come back to this thought in a moment. Using DoH typically limits what the firewalls see since the traffic is over 443. If you are decrypting all HTTPS traffic at your firewall then this wont affect you. This process is a heavy load on the firewall and is typically done in large security heavy organizations. If you are using Cisco Umbrella as your DNS servers you will still be able to track and block requests that are being made because the Umbrella server is the other side of the DoH connection; as far as the requester is concerned. If an attacker were to compromise your network however they would not be able to see a good history of public DNS lookups without access to a firewall decrypting the HTTPS packets or Cisco Umbrella. So DoH limits where the DNS lookup information can be accessed from and it can prevent packets from being captured and modified by an attacker. You would need to enforce a GPO that blocks browsers from utilizing their own DNS servers. They do their own thing if they are not told not too. HOW TO: support.umbrella.com/hc/en-us/articles/360033819691-GPO-and-DoH CHROME ADMX TEMPLATES FOR GPO: support.google.com/chrome/a/answer/187202?hl=en#zippy=%2Cwindows
Thanks for watching! If you wish to use your code signing certificate to sign a script it can be done in the below commands format Set-AuthenticodeSignature C:\Users\Public\Documents\Import-EventsHourly.ps1 @(Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0]
Hey thanks for watching and the comment! What is your goal and/or situation? Is your Windows 10 Pro machine domain joined and are you trying to manage the servers DNS through Microsoft Management Console (mmc.exe) The DNS manager I demo here is for Windows Server 2019 may be the confusion. Windows 10 operating system (OS) is not intended to be used as a server OS. It cannot natively do things a server can. There are some exceptions for home networks where Windows 10 might be set up as a place to access a drive for storing files. There is also an IIS (website host) that can be installed which is not meant for production environments. I may be able to point you to a different solution depending on what you need If you prefer to reach out via email feel free to contact me at rosborne@osbornepro.com
@@OsbornePro I have a music studio in a building with other studios. The public wifi here is fine as far as speed and connectivity They have the router in the main office separate building) and they use access points in the hallways that access the studios. I'm lucky enough to have one right outside my door so the signal is strong. My issue is security. There are a lot of studios using the same wifi plus a lot of traffic going in and out of other nearby businesses. It's password protected but I know passwords don't do sh*t for security anymore. Anyway, long story long, this is the only computer in my studio and it doesn't ever need to connect to anything besides the wifi for basic web browsing. No other computers/devices nothing. All the tools I use are usb, thunderbolt, and firewire physically plugged in. I just want to make it so absolutely nothing can connect to me wirelessly, see my files, see my screen, etc since I have client data on here. Are there settings I can apply to be sure of that (or at least trick me into thinking that) on public wifi or do I have to bite the bullet and get my own service? I appreciate the help, man. Thank you
Great question. So if you are signing into the public WiFi by entering a password, your Wi-Fi traffic is most likely using WPA2 for encryption. If you are brought to a sign in page in your web browser where you enter a password, nothing is encrypted and anyone nearby can listen to what is going on. Most websites nowadays use HTTPS so any web browser traffic is encrypted. Anything over HTTP will be viewable in that situation. The unencrypted guest WIFi most likely means no one else can talk to your machine. You will likely get a 10.#.## IP address in a different subnet every time that is not allowed to talk to anything else connected to the WIFI. If the traffic is encrypted using WPA2 there is a strong possibility you can communicate with other devices on the same WiFi network. In either case you can do a couple things to protect yourself. You will want to disable SSDP and LLMNR and other protocols I mentioned in the video. SSDP I did not mention. To disable SSDP : Click Start, type 'services.msc' Find the SSDP service, right click it, and choose Properties Change Startup Type' to Disabled Click 'Stop' Click OK For what they call defense in depth, open Control Panel > Network and Sharing Center > Change Advanced Sharing Options and select Turn Off Network Discovery and Turn off File and Printer Sharing. This prevents anyone on the same network from being able to access files on your computer. It will prevent you from accessing other devices on the same network as well through SSDP. You can see the effects of that protocol in Control Panel > Devices and Printers when you are able to see devices there that are not connected to your computer. You will not be able to enable DNSSEC on a DNs server which is normal since you only have the one computer. Using a DNS server such as Cloudflare or Quad 9 enable your ability to use DoH and DNSEC. I would suggest enabling DNS over HTTPS (DoH) in preferred web browser and in Windows 10 by using this powershell command. github.com/tobor88/BTPS-SecPack/blob/master/Hardening%20Cmdlets/Enable-DoH.ps1. That command can be executed by opening a PowerShell admin window (Windows key + x, then press a) paste the entire contents of the command into the PowerShell window. The signature and help section can be excluded if desired. Once all that is executed the command will now exist inside your session until you close the PowerShell window. Execute it by doing Enable-DoH Your settings will be applied after a restart. If I can explain that better just let me know. Also to set your DNS servers go to Control Panel > Network and Sharing Center > Select your WiFi adapter (or whatever has internet) > Properties > Select Internet Protocol Version 4 and click Properties > Use the following DNS server addresses and define them as 1.1.1.1 1.0.0.1 for cloudflare. For Quad 9 it is 9.9.9.9 OpenDNS is 208.67.222.222 208.67.220.220 Google is 8.8.8.8 8.8.4.4 I personally Perrier Cloudflare however all of those DNS Servers are capable of using DoH and DNSSEC
thanks youre awesome. love your videos
@@CardinS2U thanks for watching! Glad it was helpful
Very good explanation. Thanks so much for posting. Blessings
Thanks for watching!
First of all, thank you very much for your valuable sharing.
I have a few questions, I would be very grateful if you could answer them.
We have a firewall in the environment that performs SSL\TLS inpsection. Do additional security parameters such as DNSSEC, DOH DOT create an obstacle for reporting on the firewall or the implementation of additional security measures, I mean, do these measures allow DNS tunneling attacks such as DNS OVER TCP?
External requests to the DNS server in the environment will be forwarded to the provider that will support the dot doh method instead of the standard forwarder zone dns server for all users.
Is internet access stopped if users try to disable dot in browser or windows?
i.e. is it possible to prevent it from absolutely accessing the internet without using doh dot?
Thanks for watching! Yes but no. DNSSEC adds a layer of integrity to DNS requests. Yes this will prevent DNS tunneling, cache poisoning, hijacks, and DNS spoofing. The limitation here is that you can only manage DNSSEC for your domain and you are reliant on other organizations for theirs and you can not force clients to use only DNSSEC lookups. You could tell your DNS server to drop any requests not signed with DNSSEC. Most servers on the internet are not using DNSSEC and this could be problematic. I have never configured this so I am not 100% sure it is possible. It sounds good on paper.
DoH and DoT is more about privacy than anything else. It will prevent MITM attacks from modifying DNS requests if the attacker does not have the certificate key for the TCP connection. Ill come back to this thought in a moment. Using DoH typically limits what the firewalls see since the traffic is over 443.
If you are decrypting all HTTPS traffic at your firewall then this wont affect you. This process is a heavy load on the firewall and is typically done in large security heavy organizations.
If you are using Cisco Umbrella as your DNS servers you will still be able to track and block requests that are being made because the Umbrella server is the other side of the DoH connection; as far as the requester is concerned.
If an attacker were to compromise your network however they would not be able to see a good history of public DNS lookups without access to a firewall decrypting the HTTPS packets or Cisco Umbrella. So DoH limits where the DNS lookup information can be accessed from and it can prevent packets from being captured and modified by an attacker.
You would need to enforce a GPO that blocks browsers from utilizing their own DNS servers. They do their own thing if they are not told not too.
HOW TO: support.umbrella.com/hc/en-us/articles/360033819691-GPO-and-DoH
CHROME ADMX TEMPLATES FOR GPO: support.google.com/chrome/a/answer/187202?hl=en#zippy=%2Cwindows
It was a great expression, thank you
Thank you glad to hear it!
well explained, thank you
Thanks for watching! Very glad you found it useful
brilliant mate
Thanks for watching!
Great resource! Could you please explain how to sign a power shell script?
Thanks for watching! If you wish to use your code signing certificate to sign a script it can be done in the below commands format
Set-AuthenticodeSignature C:\Users\Public\Documents\Import-EventsHourly.ps1 @(Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0]
It hep especially llnr
I couldn't figure out how to install DNS Manager - Windows 10 Pro 19041.804
Hey thanks for watching and the comment! What is your goal and/or situation? Is your Windows 10 Pro machine domain joined and are you trying to manage the servers DNS through Microsoft Management Console (mmc.exe)
The DNS manager I demo here is for Windows Server 2019 may be the confusion. Windows 10 operating system (OS) is not intended to be used as a server OS. It cannot natively do things a server can. There are some exceptions for home networks where Windows 10 might be set up as a place to access a drive for storing files. There is also an IIS (website host) that can be installed which is not meant for production environments.
I may be able to point you to a different solution depending on what you need
If you prefer to reach out via email feel free to contact me at rosborne@osbornepro.com
@@OsbornePro I have a music studio in a building with other studios. The public wifi here is fine as far as speed and connectivity They have the router in the main office separate building) and they use access points in the hallways that access the studios. I'm lucky enough to have one right outside my door so the signal is strong. My issue is security. There are a lot of studios using the same wifi plus a lot of traffic going in and out of other nearby businesses. It's password protected but I know passwords don't do sh*t for security anymore. Anyway, long story long, this is the only computer in my studio and it doesn't ever need to connect to anything besides the wifi for basic web browsing. No other computers/devices nothing. All the tools I use are usb, thunderbolt, and firewire physically plugged in. I just want to make it so absolutely nothing can connect to me wirelessly, see my files, see my screen, etc since I have client data on here. Are there settings I can apply to be sure of that (or at least trick me into thinking that) on public wifi or do I have to bite the bullet and get my own service? I appreciate the help, man. Thank you
Great question. So if you are signing into the public WiFi by entering a password, your Wi-Fi traffic is most likely using WPA2 for encryption. If you are brought to a sign in page in your web browser where you enter a password, nothing is encrypted and anyone nearby can listen to what is going on. Most websites nowadays use HTTPS so any web browser traffic is encrypted. Anything over HTTP will be viewable in that situation. The unencrypted guest WIFi most likely means no one else can talk to your machine. You will likely get a 10.#.## IP address in a different subnet every time that is not allowed to talk to anything else connected to the WIFI. If the traffic is encrypted using WPA2 there is a strong possibility you can communicate with other devices on the same WiFi network.
In either case you can do a couple things to protect yourself. You will want to disable SSDP and LLMNR and other protocols I mentioned in the video. SSDP I did not mention. To disable SSDP :
Click Start, type 'services.msc'
Find the SSDP service, right click it, and choose Properties
Change Startup Type' to Disabled
Click 'Stop'
Click OK
For what they call defense in depth, open Control Panel > Network and Sharing Center > Change Advanced Sharing Options and select Turn Off Network Discovery and Turn off File and Printer Sharing. This prevents anyone on the same network from being able to access files on your computer. It will prevent you from accessing other devices on the same network as well through SSDP. You can see the effects of that protocol in Control Panel > Devices and Printers when you are able to see devices there that are not connected to your computer.
You will not be able to enable DNSSEC on a DNs server which is normal since you only have the one computer. Using a DNS server such as Cloudflare or Quad 9 enable your ability to use DoH and DNSEC. I would suggest enabling DNS over HTTPS (DoH) in preferred web browser and in Windows 10 by using this powershell command. github.com/tobor88/BTPS-SecPack/blob/master/Hardening%20Cmdlets/Enable-DoH.ps1. That command can be executed by opening a PowerShell admin window (Windows key + x, then press a) paste the entire contents of the command into the PowerShell window. The signature and help section can be excluded if desired. Once all that is executed the command will now exist inside your session until you close the PowerShell window. Execute it by doing
Enable-DoH
Your settings will be applied after a restart.
If I can explain that better just let me know.
Also to set your DNS servers go to Control Panel > Network and Sharing Center > Select your WiFi adapter (or whatever has internet) > Properties > Select Internet Protocol Version 4 and click Properties > Use the following DNS server addresses and define them as
1.1.1.1
1.0.0.1
for cloudflare.
For Quad 9 it is
9.9.9.9
OpenDNS is
208.67.222.222
208.67.220.220
Google is
8.8.8.8
8.8.4.4
I personally Perrier Cloudflare however all of those DNS Servers are capable of using DoH and DNSSEC