Alternate DNS servers could cause issues for students

[hackern0v1c3]

Where is the problem happening Provide the Teachable curriculum URL that corresponds with the issue you're reporting. i.e. https://7minsec.teachable.com/courses/x/y/z https://7minsec.teachable.com/courses/2053747/lectures/46224722

Describe the problem A clear and concise description of what the bug is. *i.e. "There's a typo on the third line" or "The second paragraph mentions a tool that's not there." Ran ipconfig /all as instructed. Noticed that alternate DNS servers 1.1.1.1 and 9.9.9.9 are being distributed by DHCP. This could lead to issues in the future. If the pc can't find the primary DNS server (domain controller) it could fail over to another DNS server. If this happens active directory authentications and lookups will stop working on the client. On windows DNS doesn't always fail back to the primary DNS server when it recovers and stays with the most recent workins DNS server.

To Reproduce Steps to reproduce the behavior:

1. opend cmd.exe
2. run ipconfig /all

Expected behavior A clear and concise description of what you expected to happen. Only have domain controllers specified as DNS servers

Screenshots If applicable, add screenshots to help explain your problem. I think you get it lol.

Additional context Add any other context about the problem here. https://activedirectorypro.com/dns-best-practices/

[hackern0v1c3]

I'm realizing that having multiple DNS servers is intentional to prove a point in the next step that maybe some of the DNS servers aren't domain controllers. In that case you still might be better off pointed the second/third DNS to a non-existent DNS server. That way the workstation can't unintentionally get stuck doing lookups on a non-domain controller.

[hackern0v1c3]

One last thought on this. You could block outbound DNS from anything other than the domain controller. This would be a nice security best practice anyways. Then you could leave the other DNS servers in the DHCP settings without running the risk of them actually being used.

[7MinSec]

Good stuff. So I'm wrestling with this a couple different ways. I'm playing with Blumira agents and they need to talk outbound to a few specific hosts, so I'm trying to leave just DNS outbound to 1.1.1.1 and 9.9.9.9, and then just HTTPS open to the specific Blumira hosts. However, in the lab this morning I noticed my TT-DT01 box trying to resolve TT-DEV01 to its public tt-dev01.tangent.town IP address.

I think I've addressed the issue in the firewall by forcing any .tangent.town host to resolve to the DC at 10.0.7.100. Once I put that change in and restarted services, my box started resolving all TT- shortnames properly.

But if you see future problems with this please let me know.

[hackern0v1c3]

I think what you want to do is set everything to just use the TT-DT01 box for DNS. Then in the DNS settings on TT-DT01 setup forwarders for 1.1.1.1 and 9.9.9.9. This way everything on the network asks TT-DT01 for all DNS lookups. If it knows the answer from its local DNS it will just respond. If it doesn't know the answer it will do the lookup to 1.1.1.1 or 9.9.9.9 then respond. This way all lookups get checked against AD first. And you only need to allow outbound DNS from one server. https://cleanbrowsing.org/help/docs/configure-dns-forwarder-windows-server-2016-2019/

[7MinSec]

Ohhhhh nice! I like that. I'll give it a shot when I burn/rebuild the lab momentarily.

[7MinSec]

OK I removed all the funky customer pfSense DNS stuff I was trying to do and just took your suggestion of allowing TT-DC01 to do outbound DNS and that's it. From my testing, internal hosts always resolve TT-XX to a 10.0.7.x address, and resolve externally when that doesn't fail. Thanks man!