DNS security & .com AD Domains, What are the dangers to my AD Domain if someone squats my public .com domain

Question

I am aware that best practices currently dictate that my Windows AD Domain name should be a subdomain of a purchased, globally unique namespace (ie ad.namespace.com). That's just fine and dandy.

My question is, what are the potential security vulnerabilities introduced if our public domain registration lapsed and someone squatted the domain name out from under us (bad guys now own namespace.com)? Could they leverage some DNS voodoo to compromise our internal network back at ad.namespace.com? Could an uninformed end-user be tricked into doing something they shouldn't or leaking sensitive private domain info by visiting a malicious website occupying our squatted web address? Is there any remote AD authentication vulnerability resulting from bad guys owning our root level domain name?

I will probably earn ire for saying it, but it just seems safer to have the private AD domain occupy a separate namespace that is inaccessible from the internet, like whatever.local. I know this is hated. Someone please put my mind at ease. I have sent a few days trying to research this question, but I can't find anyone else sharing my concern about the potential compromise of a root level domain name. Maybe I'm just being nuubi. Thanks in advance.

Answer 1

The potential security vulnerabilities of someone squatting your domain that you have AD hosted on ... are no different than the vulnerabilities from people squatting a domain with no AD on it.

The would be able to phish your users, with perfectly valid SSL certs, and the correct domain. By using a namespace that is 'inaccessible' - and I intentionally put that in quotes - only opens you up to names space collisions, and all of the other issues that are the backbone of why the best practice is to use a sub domain on a domain you own.

DNS is just one part of the AD solution, and is only involved in the security of the domain in so far as it is used to lookup the locations of network services. Beyond that you have all the Kerberos/LDAP goodness dictating the ability to authenticate.

To answer your specific questions:

What are the potential security vulnerabilities introduced if our public domain registration lapsed and someone squatted the domain name out from under us (bad guys now own namespace.com)?

Phishing, malware injections, etc. None of this has much to do with AD security though it's just your normal 'bad things that happen whens someone squats your domain'

Could they leverage some DNS voodoo to compromise our internal network back at ad.namespace.com?

No

Could an uninformed end-user be tricked into doing something they shouldn't or leaking sensitive private domain info by visiting a malicious website occupying our squatted web address?

Sure see the Phishing risk above. This is not particular to AD though, just you lost your domain.

Is there any remote AD authentication vulnerability resulting from bad guys owning our root level domain name

No AD auth is handled by Kerberos not DNS

Now a few additional notes:

1) With ICANN allow arbitrary TLDs to be created if you have enough money, anything is fair game, and the namespace you thought was safe from collision last year could very well now be a new TLD this year.

2) To actually lose your domain you would have to let it expire and then not notice for the 30 (60/90/? I forget the exact number these days. And it could be registrar dependent, but at least 2 weeks) grace period.

So why are people not talking about it? Because it's not an issue you need to worry about. There are no vulnerabilities to your internal AD infrastructure, and your risk is just the same as if you where running AD on a different domain and let your domain expire. Set your domain to auto-renew and you are done.