DNS Integration
Active Directory cannot function without DNS. DNS is how clients locate domain controllers, authenticate, and find services. Poisoning DNS can redirect the entire domain.
DNS (Domain Name System) is the technology that translates names into addresses on a network, just like a phone book translates names into phone numbers. Active Directory depends completely on DNS to work. When your computer starts up and needs to find a domain controller to log you in, it asks DNS where to find one. Without DNS, your computer has no idea where to go, and AD effectively stops working. This tight dependency makes DNS a critical security concern: if an attacker can tamper with DNS responses, they can redirect computers to malicious servers and intercept credentials.
If Active Directory is a city, DNS is the GPS system that tells everyone how to get where they need to go. When your computer needs to find a domain controller to log in, it asks DNS for directions. If someone poisons the GPS data -- giving wrong directions -- cars (computers) end up at the wrong destination, possibly driving straight into an attacker's trap. Without working GPS, nobody in the city can find anything.
Key Takeaways
- AD is completely dependent on DNS for service location and DC discovery.
- AD-integrated DNS stores records in the AD database for secure replication.
- SRV records (_ldap._tcp, _kerberos._tcp) are how clients find domain controllers.
- LLMNR and NBT-NS poisoning can capture credentials when DNS fails.
- Any authenticated user can enumerate all AD DNS records — revealing the entire network topology.
- Wildcard record injection and WPAD hijacking turn AD DNS into an enterprise-wide credential harvesting tool.
- Stale DNS records from decommissioned servers are a common and easy-to-exploit attack vector.
- Disabling LLMNR/NBT-NS, enforcing the Global Query Block List, and auditing stale records are critical hardening steps.
DNS is the silent foundation of AD. If an attacker controls DNS, they control where every machine on the network sends its authentication traffic. LLMNR/NBT-NS poisoning is one of the easiest initial-access techniques in internal penetration tests, but AD DNS abuse (wildcard injection, WPAD hijacking, stale record takeover) can achieve even broader impact with just an authenticated domain user account.