Share via


Securing DNS zones

Applies To: Windows Server 2008

The Domain Name System (DNS) zone configuration options in the following sections have security implications for both standard and Active Directory-integrated DNS zones.

Configure secure dynamic updates

By default, the Dynamic updates setting is not configured to allow dynamic updates. This is the most secure setting because it prevents an attacker from updating DNS zones. However, this setting prevents you from taking advantage of the administrative benefits that dynamic update provides. To configure computers to update DNS data more securely, store DNS zones in Active Directory Domain Services (AD DS) and use the secure dynamic update feature. Secure dynamic update restricts DNS zone updates to only those computers that are authenticated and joined to the Active Directory domain where the DNS sever is located and to the specific security settings that are defined in the access control lists (ACLs) for the DNS zone.

For more information, see Allow Only Secure Dynamic Updates.

Manage the DACL on the DNS zones that are stored in AD DS

You can use the discretionary access control list (DACL) to control the permissions for the Active Directory users and groups that may control the DNS zones.

The following table lists the default group or user names and permissions for DNS zones that are stored in AD DS.

Group or user names Permissions

Administrators

Allow: Read, Write, Create All Child objects, Special Permissions

Authenticated Users

Allow: Create All Child objects

Creator Owner

Special Permissions

DnsAdmins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

Domain Admins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

Enterprise Admins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

Enterprise Domain Controllers

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

Everyone

Allow: Read, Special Permissions

Pre-Windows 2000 Compatible Access

Allow: Special Permissions

System

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

For more information, see Modify Security for a Directory-Integrated Zone.

The DNS Server service running on a domain controller that has zones stored in AD DS stores its zone data in AD DS using Active Directory objects and attributes. Configuring the DACL on the DNS Active Directory objects has the same effect as configuring the DACL on DNS zones in DNS Manager. Consequently, the security administrators of Active Directory objects and the security administrators of DNS data should be in direct contact to ensure that the administrators do not reverse each other's security settings.

The following table describes the Active Directory objects and attributes that are used by DNS zone data.

Object Description

DnsZone

This container is created when a zone is stored in AD DS.

DnsNode

This leaf object is used to map and associate a name in the zone to resource data.

DnsRecord

This multivalued attribute of a dnsNode object is used to store the resource records that are associated with the named node object.

DnsProperty

This multivalued attribute of a dnsZone object is used to store zone configuration information.

Restrict zone transfers

By default, the DNS Server service allows zone information to be transferred only to servers that are listed in the name server (NS) resource records of a zone. This is a secure configuration, but for increased security, this setting should be changed to the option that allows zone transfers to specified IP addresses. Changing this setting to allow zone transfers to any server may expose your DNS data to an attacker attempting to footprint your network.

For more information, see Modify Zone Transfer Settings.

Understand the compromise involved in zone delegation

When you are deciding whether to delegate DNS domain names to zones hosted on DNS servers that are administered separately, it is important to consider the security implications of giving multiple individuals the ability to administer the DNS data for your network. DNS zone delegation involves a compromise between the security benefits of having a single authoritative DNS server for all DNS data and the administrative benefits of distributing responsibility for your DNS namespace to separate administrators. This issue is very important when you are delegating the top-level domains of a private DNS namespace, because those domains contain very sensitive DNS data.

For more information, see Understanding Zone Delegation.

Recover DNS zone data

If your DNS data is corrupted, you can restore your DNS zone file from the backup folder, which is located in the %systemroot%/DNS/Backup folder. When a zone is first created, a copy of the zone is added to the backup folder. To recover the zone, copy the original zone file from the backup folder into the %systemroot%/DNS folder. When you use the New Zone Wizard to create the zone, specify the zone file in the %systemroot%/DNS folder as the zone file for the new zone. For more information, see Add a Forward Lookup Zone.

This operation applies only to standard zones that are not stored in AD DS.

For more information, see Security Information for DNS.