Securing Domain Name System Zones
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To secure the Domain Name System (DNS) zones in your environment, use the following guidelines:
Configure secure dynamic updates. By default, the Dynamic updates option is not set to allow dynamic updates. This is the most secure setting because it prevents an attacker from updating DNS zones. However, this setting prevents you from taking advantage of the benefits to administration that dynamic updates provide. To make it possible for computers to update DNS data securely, store DNS zones in Active Directory, and use the secure dynamic update feature. Secure dynamic update restricts DNS zone updates to only the following:
Computers that are authenticated and joined to the Active Directory domain where the DNS server is located
The specific security settings that are defined in the access control lists (ACLs) for the DNS zone
- Computers that are authenticated and joined to the Active Directory domain where the DNS server is located
Restrict zone transfers. By default, the DNS Server service allows zone information to be transferred only to servers that are listed in the name server (NS) resource records of a zone. This is a secure configuration. However, for increased security this configuration should be changed to enable the option to allow zone transfers to specified Internet Protocol (IP) addresses. Changing this configuration to allow zone transfers to any server at all may expose your DNS data to an attacker who is attempting to footprint your network.
Understand the compromise involved in zone delegation. When you decide whether to delegate DNS domain names to zones that are hosted on DNS servers that are administered separately, it is important to consider the security implications of giving the ability to administer the DNS data for your network to multiple individuals. DNS zone delegation involves a compromise between the security benefits of having a single authoritative DNS server for all DNS data and the administrative benefits of distributing responsibility for your DNS namespace to separate administrators. This issue is very important when you delegate the top-level domains of a private DNS namespace, because those domains contain very sensitive DNS data.
For more information about planning DNS zones, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
To begin this task, perform the following requirements:
To complete this task, perform the following procedures: