UniFi Network force DNS over TLS network wide

The post on doing this in OPNSense has been pretty popular so let's do this with UniFi!  You will need a UniFi gateway and the Network application running version 9 or higher.

  DNS is a critical service for the Internet.  Not only every webpage you visit but even much of the content on each website requires a DNS lookup to find the server where the content is located.  DNS by default is also not encrypted, allowing anyone in your traffic path such as your ISP to see every web page you visit even if you are not using their DNS servers.  Because of this, it has become one way of tracking people online.  We do have a few options to at least cut our ISP off from some of our data.  We could use a VPN but they are not always ideal.  So today I am going to focus on DNS over TLS.  TLS(Transport Layer Security) is the same encryption used to protect websites and also allows us to verify that the server we are talking to is who we think it is.

In network server open the settings

Near the bottom lets verify our Network version, 9 adds some new features including a zone-based firewall that we will be using.

Now that we have verified we are on version 9 Lets head to the security menu on the same page

This will show us the zone-based Firewall that we will be using in just a bit, first go to the protection tab on top.

Under protection scroll down to Encrypted DNS, auto works but Predefined gives us a large list of Secure public DNS services to choose from so let's do that

Click in the box or edit to bring up a list of preconfigured secure DNS servers.  Once you have selected your preferred servers save

This will set the DNS server on the UniFi gateway to use secure DNS, which will be used by default for all of your networks.  This will not stop software or IOT devices from just using their own insecure DNS settings though for that we need to create some firewall policy

Go back to the Firewall tab

Select Create Policy at the bottom

Policy

• Name:  Give it a meaningful name
• Source Zone: Internal is the default, if you have more than one internal zone create a policy in each
• Action: Block
• Destination Zone: External
• Service: DNS

Now we have created some policy to block unsecured DNS requests from leaving our network let's check our logs to see what is trying to go around our DNS settings

System Logs very bottom left 

The triggers tab is our Firewall policy log

Go figure. Google IOT devices trying to use Google DNS directly will likely see different results depending on what you have on your network.

Simple AD Cyber Security Lab (Part 4) - Active Directory

     In the last part we setup OPNSense to handle our plumbing and keep our lab segregated off on its own.  In Part 4 we will be installing Active Directory

Microsoft Active Directory is still used by a majority of fortune 500 companies and many non-cloud native enterprises.  This year AD is also 25 years old(as AD and a released product) meaning there are also lots of old deployments that may not be to current best practices.  Both its age and popularity mean AD is a common target and some thing blue teamers need to take some extra care to help ensure no easy holes are left open in it.

Warning:  This is NOT a best practice guide for installing Active Directory.  This procedure is meant just for a lab and leaves out many hardening steps.  

Create VM

Open up VirtualBox select Machine and New

Set our Name and Operating system

• Name: DC - DC1
• Folder: This should be the default location we set in part 2, only change this if you need to store your VM's in different locations
• ISO Image: select the installer we extracted
• Type: Microsoft Windows
• Version: Windows Server 2019 (64-bit)
• Skip Unattended Installation: Checked

Next, let's go to hardware, I know this is not what is on the plan from part 1.  The installer will take less time, especially the promotion to Domain controller will run a lot faster

• Base Memory: 4096 MB
• Processors: 3

Lastly, let's go to Hard Disk set our size and Finish

• Hard Disk File location and Size:  Size to 30.00 GB (even if you have extra space no need to go larger here)

Install Windows Server

With our DC VM selected click on the start arrow, you can also use the detached mode from the down arrow on the start button to get a larger separate window.

Give it a bit and you should see the Windows Setup screen, click next

Click Install now

Select Windows Server 2019 Standard Evaluation (Desktop Experience)  The default option is Server Core with no GUI.  I won't be covering that version in this guide.  Select Next

Accept the license and click Next

Select Custom Install Windows only (advanced)

We should only have the one drive we created in our VM, select it and click next

Wait while the installer does its thing.

Set your password

Now the Windows installation is complete once the reboot is finished you can log in with Administrator and the password you created

Configure Windows Server

    The VM will reboot when the installation is complete, after you log in the first time you may receive this Networks prompt and select yes.

Eventually, you should see this Server Manager Dashboard 

First thing let's set our IP address, we want a static IP address for our Domain Controller because DC's changing addresses can cause other issues and it will also be hosting our DNS and DHCP services.

 Go to Local Server on the side and click on the link next to Ethernet

We should have only the one network connection

Right-click and select Properties

Highlight Internet Protocol Version 4 and click Properties

Set the following static IP information, then click OK

• IP Address: 172.16.254.10
• Subnet mask: 255.255.255.0
• Default gateway: 172.16.254.1
• Preferred DNS server: 172.16.254.1

Go back to Server Manager and click on the link next to Computer name

Click on the Change button

Set our computer name DC1 then click OK

Follow the warning prompts and reboot

Now we are done with the basics of setting our IP address and computer name.  Login after the reboot to continue on to installing Active Directory

Install Active Directory

After we login we should again be greeted by the Server Manager Dashboard

Select Manage then Add Roles and Features

Before we begin warning, Next

Select Role-based or feature-based installation and Next

Select our server DC1 and Next

Now we have our shopping screen where we select all the goodies we want to install.

Start by checking Active Directory Domain Services (this is the core AD functionality)

You will get this required features windows select Add Features

Back to our shopping window next select DHCP Server

Again add the required features

Select DNS Server from our shopping list and you guessed it add the required features

Now we should have Active Directory Domain Services, DHCP Server and DNS Server selected, Next

We don't need to add any features beyond what was added with the roles, Next

Now time to next through the roles screens, Next 

Next

Next

Now we are ready to start installing, click Install 

This will take some time to install all of the roles and features selected.

Once the installs are done we will get some alerts in the Server Manager.  There are some post-install tasks for Active Directory and DHCP, let's start with Active Directory.  Click on Promote this server to a domain controller

More wizard time!

Select Add a new forest and set our domain name, Next

• Root domain name: mysclab.local

We have some options to set and our DSRM password.  For our lab, you can set this to the same password as the administrator account. Then click Next

• Forest functional level: Windows Server 2016
• Domain functional level: Windows Server 2016
• Domain Name System (DNS) server: Checked
• Global Catalog (GC): Checked

DNS Options, Next

Additional Options, this is for the NetBIOS domain name this is a legacy option that is still needed.  This screen can take a while to become active, it is testing the first part of your domain name on the network to make sure there are no conflicting domains or workgroups.  When it is done click Next

Yep, we are leaving the database and log files in the default location, Next

Review our choices and click Next

We will now get some warnings about how 2019 has non-optimal security settings to be backward compatible and how our DNS server is not properly set up.  The security defaults are what they are and this is our first DNS server so the DNS warring can also be ignored, select Install

After maybe a very long time our DC1 VM will want to restart, it will do so automatically if you ignore it.  The configuration after the reboot usually takes even longer so feel free to do something else for a while.

Once the reboot is done and you are back to the login screen Active directory is installed!

We still have a few more tasks to complete but this has already become overly long.  In the next installment we will get some data in AD so we have something to play with.