Securing DNS clients

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Securing DNS clients

The following DNS client considerations have security implications for DNS clients in a DNS infrastructure:

  • Whenever possible, specify static IP addresses for the preferred and alternate DNS servers used by a DNS client. If a DNS client is configured to obtain its DNS server addresses automatically, it will obtain them from a DHCP server. While this method of obtaining DNS server addresses is secure, it is only as secure as the DHCP server. By configuring DNS clients with static IP addresses for the preferred and alternate DNS servers, you eliminate one possible avenue of attack.

    For more information, see Configure TCP/IP to use DNS; Enable DNS for DHCP-enabled clients.

  • Control which DNS clients have access to the DNS server. If a DNS server is configured to listen only on specific IP addresses, then only DNS clients configured to use these IP addresses as preferred and alternate DNS servers will contact the DNS server.

    For more information, see Restrict a DNS server to listen only on selected addresses.

For more information, see Security information for DNS.