Securing Dynamically Updated DNS Zones
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use Active Directory–integrated zones and configure them for secure dynamic update. Secure dynamic update resolves the security risks associated with using dynamic update. Because dynamic update allows any computer to modify any record, an attacker can modify zone data, then impersonate existing servers.
For example, if you install the Web server, web.contoso.com, and it registers its IP address in DNS by using dynamic update, an attacker can install a second Web server, also name it web.contoso.com, and use dynamic update to modify the corresponding IP address in the DNS record. In this way, the attacker can impersonate the original Web server and capture secure information.
To prevent server impersonation, implement secure dynamic update. By using secure dynamic update, only the computers and users specified in an access control list (ACL) can modify objects within a zone.
If your security policy demands stricter security, modify these settings to further restrict access. Restrict access by computer, group, or user account, and assign permissions for the entire DNS zone and for the individual DNS names within the zone.
For more information about securing dynamically updated DNS zones, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).