Chapter 6: Securing DNS
Updated: December 2, 2007
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
Active Directory uses DNS to locate domain controllers that host various directory partitions and services. The DNS Server service facilitates replication and client access to the information that is stored in the directory partitions. Because DNS is an integral part of the architecture that is used to access Active Directory, it is important to configure DNS as securely as possible to help prevent unauthorized users from exploiting it. Whether their intent is malicious or innocent, any users who gain access to the DNS infrastructure with anything other than Read access can make changes that might result in the failure of the directory service.
The process of protecting DNS begins during deployment. Awareness of the ways in which DNS can be exploited can help drive decisions that are made during deployment. After deployment, the next step is properly delegating administrative responsibilities to implement those deployment decisions.
DNS data consists of DNS zones and records, zone configuration information, and server configuration information. Zone and server configuration information can be stored in the registry or in Active Directory. Zone data can be stored in zone files on the server or as zone objects in Active Directory. This discussion assumes that you use Active Directory–integrated DNS zones, which is a recommended best practice. When you integrate DNS zones into Active Directory, DNS can take advantage of the security capabilities of Active Directory.
Data that pertains to a single DNS zone that is hosted on the DNS server is stored in Active Directory, according to the scope that you set on zone replication in DNS:
All domain controllers in the Active Directory domain: the MicrosoftDNS container in the domain directory partition.
All DNS servers in the Active Directory domain: the DomainDnsZones application directory partition, which has a replica on each DNS server in the domain. Application directory partitions are available only on domain controllers running Windows Server 2003.
All DNS servers in the Active Directory forest: the ForestDnsZones application directory partition, which has a replica on each DNS server in the forest. This option is available only if all DNS servers are running Windows Server 2003.
When you install a new domain and select Active Directory–integrated DNS, the default is to store Active Directory zone information on every DNS server in the domain, as opposed to on every domain controller in the domain. Storing DNS zone data in application directory partitions provides the following benefits:
DNS zone data is not stored on, or replicated by, domain controllers that are not DNS servers.
DNS zone data is not replicated to the global catalog.
Application directory partitions are new in Windows Server 2003. In Windows 2000, Active Directory–integrated DNS zone data is stored only in the domain directory partition; therefore, the data must be replicated to every domain controller in the domain.