Restrict a DNS server to listen only on selected addresses

Applies To: Windows Server 2008

By default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries using all of its IP addresses. You can make the DNS server more secure by limiting the IP addresses that the DNS Server service listens on to the IP address that is used by its DNS clients as their preferred DNS server.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Restricting a DNS server to listen only on selected addresses

  • Using the Windows interface

  • Using a command line

To restrict a DNS server to listen only on selected addresses using the Windows interface

  1. Open DNS Manager.

  2. In the console tree, click the applicable DNS server.

    Where?

    • DNS/applicable DNS server
  3. On the Action menu, click Properties.

  4. On the Interfaces tab, click Only the following IP addresses.

  5. In IP address, type an IP address to be enabled for this DNS server , and then click Add.

  6. Repeat the previous step as necessary to specify other server IP addresses to be enabled for this DNS server.

    To remove an IP address from the list, click it, and then click Remove.

Additional considerations

  • To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  • By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.

  • Server IP addresses that are added here must be managed statically. If you later change or remove the addresses specified here from the TCP/IP configurations that are maintained at this server, update this list accordingly.

  • After you update or revise the list of restricted interfaces, you must stop and restart the DNS server to apply the new list.

  • Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet, or hosts with a router that connects them to that same segment, have access to the server.

To restrict a DNS server to listen only on selected addresses using a command line

  1. Open a command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd <ServerName> /ResetListenAddresses [<ListenAddress> ...]
    
Parameter Description

dnscmd

Specifies the name of the command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/ResetListenAddresses

Required. Resets the IP addresses of the interfaces on which the DNS server listens.

<ListenAddress> ...

Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:

dnscmd <ServerName> /ResetListenAddresses /help

Addiditonal considerations

  • To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  • Server IP addresses that you add here must be managed statically. If you later change or remove the addresses specified here from the TCP/IP configurations that are maintained at this server, update this list accordingly.

  • After you update or revise the list of restricted interfaces, you must stop and restart the DNS server to apply the new list.

  • Restricting the DNS Server service to listen only on specific IP addresses is an effective security measure because only hosts on the same network subnet, or hosts with a router that connects them to that same segment, have access to the server.

Additional references