Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
72 Cards in this Set
- Front
- Back
|
The network basic input/output system (NetBIOS) protocol allows browsing of network resources and handles basic functions of Windows networking by using two-way acknowledged data transfer. protocol, provides NetBIOS support for the TCP/IP protocol.
|
NetBIOs
|
|
|
What is NetBIOS and it's function?
|
is an application programming interface (API) that can be used by programs on a local area network (LAN). NetBIOS provides programs with a uniform set of commands for requesting the lower-level services required to manage names, conduct sessions, and send datagrams between nodes on a network.
|
|
|
is any algorithm that maps data of arbitrary length to data of a fixed length. The values returned by a ______ function are called ____ values, _____ codes,____ sums, checksums or simply _______s.
|
"Hash" function
|
|
|
Explain a hashing algorithm?
|
The key in public-key encryption is based on a hash value. This is a value that is computed from a base input number using a hashing algorithm. Essentially, the hash value is a summary of the original value. The important thing about a hash value is that it is nearly impossible to derive the original input number without knowing the data used to create the hash value.
|
|
|
What is an example of a hashing algorithm?
|
Input Number
10,667 Hashing Algorithm Input# x 143 Hash Value 1,525,381 It is to determine that the value 1,525,381 came from the multiplication of 10,667 and 143. But if you knew that the multiplier(hash algorithm) was 143, then it would be very easy to calculate the value 10,667. |
|
|
The proof of non-existance
|
NSEC 3
|
|
|
provides clients with a way of verifying the integrity of the results of a DNS query
|
DNSSEC; which cryptographically signs the DNS zone data.
|
|
|
How does the DNSSEC process work?
|
When a client queries a record in a zone that is signed using DNSSEC, the DNS server returns both the record and the digital signature that enables clients to validate that record.
|
|
|
this record is stored in the DNS zone, and each one is associated with an individual zone record. When a DNS query against the secure zone is performed, the DNS server returns both the record that is queries and the associated __________+
|
Resource Record Signature (RRSIG) record
|
|
|
This special record allows for cryptographic verification of the RRSIG recoreds
|
DNSKey
|
|
|
This record provides proof the a queried record doesn't exist
|
Next Secure (NSEC/NSEC3) record
Ex; If a DNS client is querying the record cert.com and there is no cert.com host record hosted in our spade.com zone, the DNS server returns a NSEC record |
|
|
This is a special public cryptography key associated with a specific zone;
|
Trust Anchor; this record is validated against the key, and when you use DNSSEC within AD Intergrated Zone, the trust anchor is replicated to all DNS servers hosted on DCs in the forest.
|
|
|
The special cryptographic key is used to sign all DNSKey records. The key is created by a computer that host the DNSSEC Key Master role. The DNS Key Master is a computer, usually the first DNS server on which DNSSEC is implemented, that generates and manages signing keys for a DNSSEC protected zone.
|
Key Signing Key (KSK)
|
|
|
This special cryptographic key is used to sign zone data, such as individual host records.
|
ZSK (Zone-Signing Key); this is created using the DNSSEC Key Master
|
|
|
How do we configure DNS server to log only errors, log errors, or warnings
|
Enable Debug Logging in the properties of the DNS server's Debug Logging Tab
|
|
|
provide single name resolution; allows single-label name to be translated into IP addresses
|
GlobalName Zones; We use alias(cname) records when populating a GlobalName Zone, which maps the single-label name to an existing FQDN.
|
|
|
When should we consider using GlobalNames Zones?
|
#1.When we need to provide a single-label name resolution, when our network uses IPv6 addressing, the alias (cnames) can map to either ipv4 or 6 and allow name resolution. because WINS, doesn't support IPv6.
#2.When we need to provide single-label name resolution for a small amount of hosts, the only disadvantage vs the legacy WINS, is that WINS dynamically populated its host records, and GNZ must be popuolated manually |
|
|
service that translates NetBIOS names to ipv4 address
|
WINS
|
|
|
To deploy GlobalNames Zone, what steps must we take?
|
#1. Create a new AD Integrated forward lookup zone name "GlobalNames", that we have configured throughout the forest
#2.Manually activate the GlobalNamesZone on each DNS server in the forest by running " Set-DNSServerGlobalNameZone -ComputerName servernamehere -Enable $TRue |
|
|
this is a technology that makes chae-tampering and spoofing attacks more difficult by using "source port randomization" when issuing DNS queries to remote DNS servers.
|
DNS Socket Pool; By default DNS is on TCP 53; Now the attack would have guess the randomized port that our DNS server is using and the randomized transaction ID issued with the query.
|
|
|
this command sets the socket pool size
|
dnscmd /config /socketpoolsize -4000 & restart the service
|
|
|
enables us to control when information stored in the DNS server's cache can be overwritten
|
DNS Cache Locking; Naturally our recursive DNS server responds to a query from our clients, for a record that is hosted on another DNS server; It then caches the results locally, so that if another client on our network needs the same response, we don't have to contact the remote server. *If the same record is queried again with in our TTL or the RR**, DNS Cache Looking will prevent rr data in our server's cache from being overwritten until a configured percentage of the TTL has expired
|
|
|
How do we configure the DNS Cache locking through Powershell?
|
SEt-DNSServerCache -LockingPercent 80
|
|
|
It is possible for nefarious third parties to use recursion against us as a DOS attack vector, slowing our DNS server down to the point, where it is unresponsive. How can we avoid this
|
Disable Recursion on the Advance Tab of the DNS Server's properties
|
|
|
ensures that the DNS server returns the host record on the requesting client's subnet if such a record exist.
|
Netmask ordering
Ex; If a client with the address 192.168.2.50 performs a lookup of cert.new.com, it always returns the record "192.168.2.50", because the record exist on the same subnet of the client that requested it |
|
|
what happens if netmask ordering isn't enabled or the client isn't on the same subnet where record they request exist.
|
DNS will return records in a round robin fashion
|
|
|
How is netmask ordering useful?
|
for services such as DNS and WSUS..etc ; We could have WSUS servers at each one of our branch offices, and when we used netmask ordering, the DNS server redirects the client in the branch office to a resource on the local subnet when one exists.
|
|
|
how can we grant users the ability to view and modify DNS data as well as server configuration of DNS servers within a domain, and we want them to perform DNS administration task without giving them additional permissions.
|
Add specific users to the "DNSADmins domain local group"
*We can also assign permissions to specific users or security groups to manage a specific DNS server using the Security Tab of the Server's properties. |
|
|
cmdlet adds a conditional forwarder to a Domain Name System (DNS)
server. You can select the master servers, forwarder time-out, recursion, host computer, replication scope, and directory partition for the conditional forwarder. Conditional forwarders are stored as zones on a DNS server. |
Add-DnsServerConditionalForwarderZone
|
|
|
cmdlet creates a Domain Name System (DNS) application directory partition.
After you install a DNS server, DNS creates an application directory partition for the service at the forest and domain levels. This cmdlet creates additional DNS application directory partitions. |
Add-DnsServerDirectoryPartition
|
|
|
cmdlet adds one or more forwarders to a DNS server's forwarders list. If you prefer one
of the forwarders, put that forwarder first in the series of forwarder IP addresses. After you first use this cmdlet to add forwarders to a DNS server, this cmdlet adds forwarders to the end of the forwarders list. |
Add-DnsServerForwarder
|
|
|
cmdlet adds a specified primary zone on a Domain Name System (DNS) server.
You can add an Active Directory-integrated forward lookup zone, an Active Directory-integrated reverse lookup zone, a file-backed forward lookup zone, or a file-backed reverse lookup zone. |
Add-DnsServerPrimaryZone
|
|
|
The cmdlet adds a resource record for a Domain Name System (DNS) zone on a DNS server.
You can add different types of resource records. Use different switches for different record types. By using this cmdlet, you can change a value for a record, configure whether a record has a time stamp, whether any authenticated user can update a record with the same owner name, and change lookup timeout values, Windows Internet Name Service (WINS) cache settings, and replication settings. |
Add-DnsServerResourceRecord A=Ipv4
AAAA=Ipv6 CName=Alias record Mx=mail exhchange record Ptr=pointer record for reverse lookups |
|
|
cmdlet exports delegation signer (DS) or Domain Name System public key
(DNSKEY) information for a Domain Name System Security Extensions (DNSSEC)–signed zone. |
Export-DnsServerDnsSecPublicKey
|
|
|
cmdlet adds DNSKEY resource record to a Domain Name System (DNS) server.
DNSKEY is a DNS Security Extensions (DNSSEC) element that stores a public key. |
Add-DnsServerResourceRecordDNSKEY
|
|
|
The cmdlet addsAdd-DnsServerResourceRecordA cmdlet adds a Delegation Signer (DS) resource record to a Domain Name
System (DNS) server. |
Add-DnsServerResourceRecordDS
|
|
|
The cmdlet adds root hints on a DNS server. You can add root hints by specifying the DNS
name server and IP address, or you can use the InputObject parameter to specify a ___________ object. |
Add-DnsServerRootHint
|
|
|
cmdlet adds a specified secondary zone on a Domain Name System (DNS) server. You
can create either a forward lookup zone or a reverse lookup zone. To create a reverse lookup zone, specify a network ID by using the NetworkID parameter, or specify a full reverse lookup zone name by using the Name parameter. |
Add-DnsServerSecondaryZone
|
|
|
cmdlet adds a Key Signing Key (KSK) or Zone Signing Key (ZSK) key to a Domain Name
System (DNS) signed zone. |
Add-DnsServerSigningKey
|
|
|
cmdlet adds a stub zone. A stub zone is a copy of a Domain Name System (DNS) zone th
contains only resource records that identify the DNS servers for that zone. You can add either a forward lookup zone or a reverse lookup zone. You can add either an Active Directory-integrated zone or a file-backed zone. |
Add-DnsServerStubZone
|
|
|
cmdlet adds a trust anchor (DNSKEY record) to a DNS server. If there is no trust
anchor zone present, the cmdlet creates one. If you specify the DigestType parameter, the cmdlet adds a trust anchor delegation signer (DS) record. |
Add-DnsServerTrustAnchor
|
|
|
cmdlet adds a zone delegation to a Domain Name System (DNS) server zone. For
instance, you can add a child domain called west01 to your top level domain, contoso.com, and specify a DNS server for that delegated domain. |
Add-DnsServerZoneDelegation
|
|
|
cmdlet clears resource records from a Domain Name System (DNS) server cache.
|
Clear-DnsServerCache
|
|
|
cmdlet clears all Domain Name System (DNS) server statistics. After you have cleared
the statistics, you cannot retrieve them. |
Clear-DnsServerStatistics
|
|
|
converts a Domain Name System (DNS) zone to a DNS primary zone. Use this cmdlet
to promote a secondary zone to a primary zone on the server. For a file-backed zone, ensure there is only one server that hosts the primary zone. |
ConvertTo-DnsServerPrimaryZone
|
|
|
cmdlet converts primary zone or a stub zone on a Domain Name System (DNS)
server to a secondary zone. |
ConvertTo-DnsServerSecondaryZone
|
|
|
This cmdlet enables rollover on the input key.
This cmdlet disables key rollover on an input key. |
Enable-DNSServerSigningKeyRollover
Disable-DnsServerSigningKeyRollover |
|
|
cmdlet exports delegation signer (DS) or Domain Name System public key
(DNSKEY) information for a Domain Name System Security Extensions (DNSSEC)–signed zone. |
Export-DnsServerDnsSecPublicKey
|
|
|
cmdlet creates a file containing resource records for an Active Directory–integrated zone
|
Export-DnsServerZone
|
|
|
cmdlet retrieves a Domain Name System (DNS) server configuration. The DNS server must be running
Windows Server®2008R2 operating system or above. |
Get-DnsServer
|
|
|
cmdlet gets Domain Name System (DNS) server diagnostic and logging parameters.
|
Get-DnsServerDiagnostics
|
|
|
cmdlet gets the Domain Name System Security Extensions (DNSSEC) settings for a
zone on a Domain Name System (DNS) server. |
Get-DnsServerDnsSecZoneSetting
|
|
|
cmdlet gets the following Domain Name System (DNS) Server Active Directory settings:
PollingInterval, DirectoryPartitionAutoEnlistInterval, LazyUpdateInterval, MinimumBackgroundLoadThreads, and RemoteReplicationDelay. |
Get-DnsServerDsSetting
|
|
|
cmdlet gets extension mechanisms for DNS (EDNS) configuration settings on a Domain Name
System (DNS) server. This cmdlet gets the EDNS settings for CacheTimeout, EnableProbes, and EnableReception. |
Get-DnsServerEDns
|
|
|
cmdlet enables or disables single-label Domain Name System (DNS) queries.
|
Set-DnsServerGlobalNameZone
|
|
|
cmdlet gets a global query block list on a Domain Name System (DNS) server.
DNS Server service maintains a list of servers that it does not respond to when the DNS server receives a query to resolve the name in any zone for which the server is authoritative. |
Get-DnsServerGlobalQueryBlockList
|
|
|
cmdlet modifies recursion settings for a Domain Name System (DNS) server. Recursion
occurs when a DNS server queries other DNS servers on behalf of a requesting client, and then sends the answer back to the client. |
Set-DnsServerRecursion
|
|
|
cmdlet changes scavenging settings on a DNS server. If any of the set operations fail,
the cmdlet continues to configure other settings. The cmdlet displays the settings that it changed and the settings that it did not change. |
Set-DnsServerScavenging
|
|
|
cmdlet changes settings of a signing key for a zone. You must specify the ZoneName
parameter and at least one of the optional parameters. |
Set-DnsServerSigningKey
|
|
|
cmdlet retrieves statistics of a Domain Name System (DNS) server.
|
The Get-DnsServerStatistics cmdlet retrieves statistics of a Domain Name System (DNS) server.
|
|
|
gets one or more trust points on a DNS server. If you do not specify a trust point
name, all trust points are enumerated. |
Get-DnsServerTrustPoint
|
|
|
cmdlet gets the zones that exist on a Domain Name System (DNS) server.
|
Get-DnsServerZone
|
|
|
cmdlet configures aging settings for a Domain Name System (DNS) server zone.
A resource record can remain on a DNS server after the resource is no longer part of the network. Aging settings determine when a record can be removed, or scavenged, as a stale record. |
Set-DnsServerZoneAging
|
|
|
cmdlet imports a Delegation Signer (DS) resource record to a Domain Name
System (DNS) server from a file. |
Import-DnsServerResourceRecordDS
|
|
|
cmdlet signs a Domain Name System (DNS) server zone.
|
Invoke-DnsServerZoneSign
|
|
|
cmdlet transfers the role of DNS Security (DNSSEC) Key Master server. Any
authoritative Domain Name System (DNS) server that hosts a primary copy of the zone can be the Key Master server. |
Reset-DnsServerZoneKeyMasterRole
|
|
|
cmdlet ages Domain Name System (DNS) resource records in a DNS zone. You must
enable aging at the zone level by using this cmdlet. |
Set-DnsServerResourceRecordAging
|
|
|
shows all cached Domain Name System (DNS) server resource records in the following format:
Name, ResourceRecordData, Time-to-Live (TTL). |
Show-DNSServerCache
|
|
|
cmdlet returns a list key storage providers that are available on a DNS
server. You can use the key storage providers to create a zone signing key (ZSK) and a key signing key (KSK). |
Show-DnsServerKeyStorageProvider
|
|
|
cmdlet starts a zone transfer of a secondary zone from the master servers.
|
Start-DnsServerZoneTransfer
|
|
|
cmdlet synchronizes zone data and root hint data for a zone to the persistent storage. The
persistent storage can be AD Active Directory or a file. |
Sync-DnsServerZone
|
|
|
cmdlet validates Domain Name System Security Extensions (DNSSEC) settings for
a zone on a Domain Name System (DNS) server. The cmdlet returns a validation object. |
Test-DnsServerDnsSecZoneSetting
|
