Securing DNS resource records

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Securing DNS resource records

The following DNS resource record configuration options have security implications for resource records stored in both standard and Active Directory-integrated DNS zones:

  • Manage the discretionary access control list (DACL) on DNS resource records stored in Active Directory. The DACL allows you to control the permissions for the Active Directory users and groups that may control the DNS resource records. For more information, see Modify security for a resource record.

    The following table lists the default group or user names and permissions for DNS resource records stored in Active Directory.

    Group or user names Permissions

    Administrators

    Allow: Read, Write, Create All Child objects, Special Permissions

    Authenticated Users

    Allow: Create All Child objects

    Creator Owner

    Special Permissions

    DnsAdmins

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

    Domain Admins

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

    Enterprise Admins

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

    Enterprise Domain Controllers

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

    Everyone

    Allow: Read, Special Permissions

    Pre-Windows 2000 Compatible Access

    Allow: Special Permissions

    System

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

For more information, see Security information for DNS.