If there are any problems please contact us at support@secure-dns.eu
1 Introduction
We have a PowerShell script available for download at:
https://portal.secutec.com/documents -> Configuration -> SecureDNS_Self-Onboarding_v1.5
It can be used on the Domain Controller / Windows DNS Server / Windows DHCP Server to automate the steps described in the other articles in this section.
The PowerShell script has an interactive menu, so the user can still control what steps are to be executed.
2 How to use
The menu has 10 options, for a new onboarding the order can be followed chronologically, but all steps can be performed independently (for example: Filebeat is to be installed at a later point in time, so you can then use the script just to perform options 4-10)
Menu options:
- Backup current DNS server configuration
This will save the current DNS settings (forwarders, debuglogging settings, etc.) to C:\dnslogs\DNS_Config_Backup.json - Test DNS resolution to Secutec SecureDNS DNS servers
Because we only allow DNS queries from allowed public IP addresses, it is important for the customer to test DNS resolution prior to changing the DNS forwarders.
You will be prompted with a list of DNS clusters to select, which cluster to select is dependent on which cluster was provided by Secutec, you can find this information in your onboarding confirmation email.
Select the cluster, and the output will tell you if this check succeeded. If not, contact us at support@secure-dns.eu to check the configuration with an engineer. - Change DNS forwarders to Secutec SecureDNS
You will be prompted with a list of DNS clusters to select, which cluster to select is dependent on which cluster was provided by Secutec, you can find this information in your onboarding confirmation email.
Select the cluster and then 2 out of the 3 DNS servers (a cluster consists of 3 DNS servers) will be chosen. Either A and C or B and C.
This will take immediate effect and traffic will be forwarded to Secutec - make sure menu option 2 test succeeded! - Enable DNS debuglogging for Filebeat (view Private IP's in SecureDNS dashboards)
This will enable all the needed checkboxes in DNS debuglogging, and create the following logfile: C:\dnslogs\log.txt - Enable DHCP audit logs for Filebeat (view Hostnames in SecureDNS dashboards)
This will enable the DHCP audit logs on the DHCP server. Default path is: C:\Windows\system32\dhcp - Download and Extract Filebeat
This option will download Filebeat from one of our servers and unzip it to C:\Filebeat. Note that your Endpoint Security/EDR or Firewall could block this outbound connection to retrieve the file from internet via PowerShell, or your server is simply not connected to the Internet. In this case, you can manually download Filebeat from our portal at https://portal.secutec.com/documents -> Configuration -> SecureDNS_Filebeat_8.10.2_Windows_Certs2023 and manually extract the contents to C:\Filebeat on the server. - Configure Filebeat
Enter the Client Name and Site Name supplied by Secutec, you can find this information in your onboarding confirmation email. This has to match exactly with the values we have provided. The values entered in the script will be configured in C:\Filebeat\filebeat.yml - Test Filebeat config and connectivity
This will do the .\filebeat test config and .\filebeat test output in the C:\Filebeat directory and show the output. If the tests fail, instructions will be displayed on how to solve it. - Install Filebeat service
This will install the Filebeat service. - Start Filebeat service
This will start the Filebeat service.
If there are any problems please contact us at support@secure-dns.eu