 Hi, everyone. This is Windows Server Engineering Summit. It's going to happen on 26th of the March, 2024. Okay, so let me introduce myself. My name is Gulnaz Mushtaq and I am an MVP. I'm also, I have been the Microsoft Certified Trainer since 2018 and now serving the MCT community in Pakistan as an MCT regional lead. I am an Enrique Lima award recipient by Microsoft and I have diversified experience in the field of information technology. I have worked with both public and private sectors. I am basically very much passionate about community work. So basically I have been working with the Microsoft Windows servers for so many years and I am an enthusiast and I chain hundreds of people around the world in this technology. Okay, so most of the times I usually encourage the people around me that they should take part in the community work as well. So as far as the technologies are concerned, so I am mainly I have been working in Microsoft Hybrid Administration in Azure Administration, Azure Security Identity Management and things like that. If you guys want to join me on LinkedIn, so this is my profile, you can go to LinkedIn, you can search my name over there as Gulnaz Mushtaq and you can see this simple profile over there and you can join me. And in the background you can see the MCT Community Pakistan Learning Room. This is the basically learning room on Microsoft Teams. You can join from the given link. And if you need, if you have any query relating to Azure, relating to Microsoft Windows Server regarding today's topic as well, you can ask me. I will love to help you guys over there. Let's start with the today's session. So the today's session, the title is Implementing the Response Rate Limiting RRL in Microsoft Windows Server. And this is the part of server hardening solutions. So let me tell you guys that the Windows Server Summit is going to happen on 26th of March. So don't forget to join me in this session. So today's agenda is all about, we are going to discuss is what is RRL and why we have to configure RRL and what are the supportive operating systems and how to implement the RRL. So let's talk about what is RRL. So the RRL stands for Response Rate Limiting. So it is basically the functionality of Microsoft Windows Server. So what does it do? It basically prevents the DNS servers from the amplification attacks. So what are the amplification attacks? Basically, they are kind of attacks when some specific query is sent to a certain DNS server. And in response to the DNS server, they send a lot of data and information. And using that information, the attacker, they get able to fetch the important information from their server. So in that way, the attacker, they get successful in sending a lot of requests to the target servers because they are getting the information from the specific servers. So that is more easier for them to get the important information and attack and they able to attack the servers. So RRL will basically prevent someone from sending a denial of server DOS attack, as you know that. So why to implement the RRL? Basically, what are the importance of implementing the RRL? So basically, as we talked about that, the DOS attack is a kind of a dangerous thing because when you send just a few information to request some response, the server is sending a lot of information. So to stop that phenomena, what you have to do is you have to implement RRL because RRL is basically the process of separating the valid queries from some malicious queries. The queries, those are suspicious, right? So this is the something which is very much important for the DNS servers. So what we have to do, we are not going to block everything because you know that everything that server is going to give you is not something suspicious. So it is not possible that we are going to block every packet. But yes, what we can do, we need to separate them, right? So attackers, they make the queries legitimate to several tricks, you know that attackers, they are always in the form of giving so much legitimate things, attacks to the server, and they make everything legitimate. So what you have to do is, what the RRL is going to do is that they are making some patterns. They are studying some patterns and the rails, how queries are coming in to the server and what kind of those queries are, what are their behaviors. Basically, when you implement the RRL, your server will be able to have a look at the queries, the pattern of those queries, how they are coming, how many of them are coming into the server. So as we discussed about that, we cannot block all the patterns. So what we can do, what are the possibilities? Basically, we will limit the response rate and that's our target. So that's our main goal. So by limiting the rate at which responses are sent to specific clients or from the specific subnets or from the specific networks, the RRL helps protect DNS servers from being unwittingly used in amplification attacks. So that's the main way that how RRL is going to help us. Okay, so let's talk about that. What are the main supportive operating systems that work the RRL? Okay, so if we talk about the supported operating systems, so first of all, the first time Microsoft has launched that functionality in Microsoft Windows Server 2016 and now it's for its successors as well. So we can say that starting from the Server 2016 onwards, you can implement this functionality in those DNS servers who are concerned about them. So it is very much important features for the DNS servers. So before going ahead, we are going, let's talk about some important terms because as you know that is one of the agenda items that we are going to implement the RRL functionality as well in our DNS server. So before going ahead, it is better to discuss about the important terms as well. The first thing is what is response per second? So this is as we talk about a lot of things about the responses that how server is going to respond because we are not going to block everything. So in that case, we are going to set certain values, certain switches I would say. As you know guys about the PowerShell commands that we are going to run a few PowerShell commands. So in those PowerShell commands, we are going to set some values. So responses per second is also one of the values. This is basically the maximum number of times the same response will be given to a client within one second window. So it is all about that how many responses are giving maximum number of responses are given to certain client if they send something to the DNS server and the response of the DNS server is going to be. As you know that sometimes when some client or machine is going to send some request to the DNS servers, so there occurs some errors as well you know. So there is a chance to having some error responses as well. So in that case, let's talk about that whether every error is something which is not going to be responded, but there are some a few errors which are important as well. So we are going to set the value of error per second. So this is another switch. So in that PowerShell command, we are going to set these values. So error per second is the maximum number of times and error response will be sent to the same client within one second. Okay. So next is window. This is basically number of seconds for which responses to a client will be suspended if these are too many requests which are being made to the DNS server. So if so many requests are sent to the DNS servers, so in this window of a few seconds how many requests should be responded and how many of them should be suspended. So basically a few requests would be suspended as well. So we are going to set those values. Okay. So what is the leak rate? So this is all about that how your DNS server is going to respond the queries if a client which is already in the suspension window. We talked about the suspension window in this slide and now we are going to the leak rate. What is the leak rate? The number of queries it takes place before the response is sent basically, definitely. So before the server is going to send a response, so what is the leak rate? If the leak rate is 42, it means that DNS server will only send one query, one response out of 42 queries. So you can imagine that how much filters you are going to implement that if something is coming and the number of those queries are 42 and your server is going to send only one response out of those 42 queries. So this is called leak rate. Okay. So one more important thing I'm just going to tell you guys that these are all about how much you are going to implement like are you going to implement as a 42 or maybe you are going to implement this as three, four, five, seven, whatever the number of figures it's totally up to you. Based on your requirements, based on your scenarios, how much you are going to implement. Okay. So let's talk about the maximum responses. This is basically the number of responses your server is going to send to a client while the responses are suspended. So this is another option. If the responses are suspended, then how many responses the server is going to send to a certain clients. Right. And also the truncate rate, what is the truncate rate for the queries? Sometimes a few queries are dropped due to RL. Still, the DNS server is having some option that they decided that, okay, I have this criteria that if some of the queries are dropped due to some valid reasons. So I'm going to give the chance to a valid client as well. Okay. So they observed the pattern of your subnets as well as we already talked about the subnet or specific networks. So the server will also be looking at the behavior of a specific subnet that this or that specific subnet are sending how many requests. That is another factor. So in that case, what is the client? Which one is the client? It should be giving them some chance to send a certain response as well. Right. So we are going to set in the truncate rate. So these are a few more switches as due to the time limitations we are going to have in the 30, 20 or 20, 30-minute session today. But in the future, if you are interested, so we are going to have to discuss some more switches regarding the response rate limiting because this is a huge topic. If we discuss this topic, this includes so many switches as well. So these are just a few of them. I'm just going to tell you guys that not only we are going to set up the responses as per their behavior and their time duration and their subnets and things like that, we can white list a certain domains as well. Why and how? Because it is very much important that whether there is a white listed domain. For example, there is a domain by the name contoso.com. So is that suspicious for us, but we want to list them as a white listed domain because it would not affect the RRL. So this is something. Also, we can white list certain subnets as well. And we can white list certain interfaces as well. So in future, if you guys are interested, we will be discussing more things about more switches regarding RRL. Okay, guys, let's jump into the RRL implementation demonstration. I'm going to stop my screen and I'm going to share another screen with you guys. Okay, guys. So let's start with some demonstration. So this is my web server basically. I wanted to show you guys that how the RRL will be implemented. So basically, this is my DNS server as well. I just implemented a few zones for demonstration. And it's our Windows Server 2022 standard edition, as you can see over here. And should be licensed and should be operated as well, definitely. Okay, so I just saved a few commands for you guys so that you can see on the screen as well. And you can run on for your convenience. So this is my tip for you guys that just save all the important commands in notepads because the notepad is something which can be opened in everywhere whether you are going to have some word facility or not. So this is very handy file. So keep all the important commands into notepad files. Okay, so let me open up this notepad file. So first of all, what we have to do is that we have to put some criteria to check whether our server is already working with enabled RRL or not. Fine, I'm just going to delete this thing. I don't need that. This is just commands. Okay, so this one is the first of all, you have to implement this simple command get-dns server response rate limiting. So instead of writing the whole response rate limiting, you can just put as RRL as well. So you know that in the PowerShell interface, you can press the tab and your command will be automatically typing. So I'm just copying up this thing. So I'm just start my PowerShell. Just putting everything over here. Okay, so now I am checking whether my service is having the active RRL or not. Just enter up this command and you can see that there are there are a few switches like response per second errors we have discussed so far. And the mode is disabled. So we are going to enable this mode basically. Just give me a second. So first of all, we are going to enable the RRL. For that, there is very simple command by this. You can enable the RRL mode set hyphen dns server response rate limiting space hyphen mode space enable right. I'm just copying up this command from here and I'm putting my command over here. So this is the command which will enable the response rate limiting functionality in my Windows server. Okay, so system is going to confirm whether you are going to enable the RRL. So this is something good that Microsoft is going to ask from all the customers that whether they are willing to enable RRL or not. Because as you know that once you will enable the RRL, the RRL is working on certain behaviors, certain things, certain patterns, right. So that's why you will getting this message. So I'm just simply typing as why for my confirmation that yes, I'm going to enable the RRL and I'm going to enter my command. Okay, so another command is that you are going to implement a few switches we have discussed in the presentation. For example, if you are going to put some functionalities, like we have discussed so far that you want to set the RRL as Windows, what is what should be the window, what should be the leak rate, what should be the chunk rate, what is the errors per second going on and response per second. Okay, keep in mind that it is totally up to you that I'm going to put these many values but you can put them according to your requirement. Okay, so during question and answer sessions, you guys can ask the questions and I will explain in more brief that for which switch you can put what values, what are the possibilities. For now, I'm just going to put these values as just for the demonstration purpose. I'm going to copy this command over here and now I'm going to write that command in my PowerShell and hit enter. Once again, system is going to confirm. I would again say that why this is going to happen just because as you know that for now onwards, as you can see that you are giving your DNS certain certain commands to control its behavior, how to respond. So in my case, I'm just going to put why means that I'm yes, I'm winning to set these many values. Okay, so what's next? Once you put all of them, right, so now you can confirm whether whatever you have put over there is that functioning well, it's functioning according to my requirement. For that, I'm going to put this command once again. So I'm just going to repeat the command by the arrow keys. Okay, get hyphen DNS server RL. As you can see that now the RL functionality has been enabled in my DNS server. Fine. Okay, so once one more thing, if you want to reset all of these switches as default, you can type this, you can put this command again. What are the default values? As you can see, these were the default values. I'm not talking about the enabling or disabling this RL because you have already enabled the RL. But if you want to set all the other values as default, you can put this command. And what this command is going to do, this is going to reset all the values, the current values you just have changed in this command to the default values. Okay, so if I just type this thing in my PowerShell, so you will see that all my values will be, so I'm just going to put this command to my PowerShell. And again, it is going to confirm that whether you are going to do that or not. Yes. I'm again going to check the status of the RL. Okay, so the mode is already enabled. But as you can see that all the previous values has been reset to default values. So mode is there already. Okay, sometimes you maybe you want everything, everything to get disabled and you don't need anymore this RL functionality. So in that case, in this switch, as you can see, the mode enabled, you just put it as disabled. Okay, so right after the hyphen mode thing, I just put as disabled and system is confirming. Yes. Okay, now I am just, so as you can see that first of all, everything has been reset to default. And secondly, the mode is again set to disabled. Right. So this is the thing. So every time if you are, if you enable the RL and you don't want it anymore, you can disable it as well. Right. So one most important thing is that you can set the DNS server that it should be working on the RL mode if only it is in the logged on state. If the server is not logged on, and RL should not work, right. You can set this functionality as well, because it says that command to set RL to log on mode only. Okay, so to check with the logs and events for this functionality, I'm just going to demonstrate that you have to go to the server manager dashboard. And here in the tools menu, you can go to the event viewer. So in the event viewer, you will go to the application and service logs. And in the application and service logs, you will go to the Microsoft and then windows. And in the windows, you are going to search for the DNS. So this one is the DNS server. Click on that. And in the audit section, you will be going to have a look at the activity is being performed by the RL functionality. So everything is going to be here, as you can see, the date, the time and each and every thing, because this is just demonstration. If you are working in the production environment, you will be getting more logs accordingly. Okay, guys. So this was the RL implementation demonstration. And for the checking logs, you can note down this path to the event logs. Thank you very much for joining in today's session. And you can reach out to us for more such informatory sessions for knowledgeable sessions. And we would love to help you out. And we would love to make such more sessions for you guys.