Securing DNS zones

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Securing DNS zones

The following DNS zone configuration options have security implications for both standard and Active Directory-integrated DNS zones:

  • Configure secure dynamic updates. By default, the Dynamic updates setting is not configured to allow dynamic updates. This is the most secure setting as it prevents an attacker from updating DNS zones, but this setting prevents you from taking advantage of the benefits to administration that dynamic update provides. To have computers securely update DNS data, store DNS zones in Active Directory and use the secure dynamic update feature. Secure dynamic update restricts DNS zone updates to only those computers that are authenticated and joined to the Active Directory domain where the DNS sever is located, and to the specific security settings defined in the ACLs for the DNS zone.

    For more information, see Allow only secure dynamic updates.

  • Manage the discretionary access control list (DACL) on the DNS zones stored in Active Directory. The DACL allows you to control the permissions for the Active Directory users and groups that may control the DNS zones.

    The following table lists the default group or user names and permissions for DNS zones stored in Active Directory.

    Group or user names Permissions

    Administrators

    Allow: Read, Write, Create All Child objects, Special Permissions

    Authenticated Users

    Allow: Create All Child objects

    Creator Owner

    Special Permissions

    DnsAdmins

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

    Domain Admins

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

    Enterprise Admins

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

    Enterprise Domain Controllers

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

    Everyone

    Allow: Read, Special Permissions

    Pre-Windows 2000 Compatible Access

    Allow: Special Permissions

    System

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

    For more information, see Modify security for a directory-integrated zone.

    The DNS Server service running on a domain controller that has zones stored in Active Directory stores its zone data in Active Directory using Active Directory objects and attributes. Configuring the DACL on the DNS Active Directory objects has the same effect as configuring the DACL on DNS zones in the DNS console. Consequently, the security administrators of Active Directory objects and DNS data should be in direct contact to ensure that the administrators do not reverse each other's security settings.

    The Active Directory objects and attributes used by DNS zone data stored in Active Directory are described in the following table.

    Object Description

    DnsZone

    Container created when a zone is stored in Active Directory.

    DnsNode

    Leaf object used to map and associate a name in the zone to resource data.

    DnsRecord

    Multivalued attribute of a dnsNode object used to store the resource records associated with the named node object.

    DnsProperty

    Multivalued attribute of a dnsZone object used to store zone configuration information.

    For more information, see Assign, change, or remove permissions on Active Directory objects or attributes.

  • Restrict zone transfers. By default, the DNS Server service only allows zone information to be transferred to servers listed in the name server (NS) resource records of a zone. This is a secure configuration, but for increased security, this setting should be changed to the option to allow zone transfers to specified IP addresses. Changing this setting to allow zone transfers to any server may expose your DNS data to an attacker attempting to footprint your network.

    For more information, see Modify zone transfer settings.

  • Understand the compromise involved in zone delegation. When deciding whether to delegate DNS domain names to zones hosted on DNS servers that are administered separately, it is important to consider the security implications of giving multiple individuals the ability to administer the DNS data for your network. DNS zone delegation involves a compromise between the security benefits of having a single authoritative DNS server for all DNS data and the administrative benefits of distributing responsibility for your DNS namespace to separate administrators. This issue is very important when delegating the top-level domains of a private DNS namespace, as those domains contain very sensitive DNS data.

    For more information, see Delegating zones.

DNS zone data recovery

If your DNS data has been corrupted you can restore your DNS zone file from the backup folder located in the systemroot/DNS/Backup folder. When a zone is first created, a copy of the zone is added to the backup folder. To recover the zone, copy the original zone file from the backup folder into the systemroot/DNS folder. When you use the New Zone Wizard to create the zone, specify the zone file in the systemroot/DNS folder as the zone file for the new zone. For more information, see Add a forward lookup zone.

Note

  • This operation only applies to standard zones that are not stored in Active Directory.

In the case of both standard and Active Directory-integrated zones, you should use the system backup feature to establish a standard data recovery procedure for your DNS infrastructure. For more information, see Create an Automated System Recovery set using Backup.

For more information, see Security information for DNS.