Developing a DNS Security Policy
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If your DNS data is compromised, attackers can gain information about your network that can be used to compromise other services. For example, attackers can harm your organization in the following ways:
By using zone transfer, attackers can retrieve a list of all the hosts and their IP addresses in your network.
By using denial-of-service attacks, attackers can prevent e-mail from being delivered to and from your network, and they can prevent your Web server from being visible.
If attackers can change your zone data, they can set up fake Web servers, or cause e-mail to be redirected to their servers.
Your risk of attack varies depending on your exposure to the Internet. For a DNS server in a private network that uses a private namespace, a private addressing scheme, and an effective firewall, the risk of attack is lower and the possibility of discovering the intruder is greater. For a DNS server that is exposed to the Internet, the risk is higher.
Developing a DNS security policy involves:
Deciding what access your clients need, what tradeoffs you want to make between security and performance, and what data you most want to protect.
Familiarizing yourself with the security issues common to internal and external DNS servers.
Studying your name resolution traffic to see which clients can query which servers.
You can choose to adopt a low-level, mid-level, or high-level DNS security policy.
Low-Level DNS Security Policy
Low-level security does not require any additional configuration of your DNS deployment. Use this level of DNS security in a network environment in which you are not concerned about the integrity of your DNS data, or in a private network in which no external connectivity is possible. A low-level security policy includes the following characteristics:
All DNS servers in your network perform standard DNS resolution.
All DNS servers are configured with root hints that point to the root servers for the Internet.
All DNS servers permit zone transfers to any server.
All DNS servers are configured to listen on all of their IP addresses.
Secure cache against pollution is disabled on all DNS servers.
Dynamic update is allowed for all DNS zones.
User Datagram Protocol (UDP) and TCP/IP port 53 is open on the firewall for your network for both source and destination addresses.
Mid-Level DNS Security Policy
Mid-level DNS security consists of the DNS security features that are available without running DNS servers on domain controllers and storing DNS zones in Active Directory. A mid-level security policy includes the following characteristics:
The DNS infrastructure of your organization has limited exposure to the Internet.
All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.
All DNS servers limit zone transfers to servers listed in the NS records in their zones.
DNS servers are configured to listen on specified IP addresses.
Secure cache against pollution is enabled on all DNS servers.
Secure dynamic update is allowed for all DNS zones.
Internal DNS servers communicate with external DNS servers through the firewall with a limited list of allowed source and destination addresses.
External DNS servers in front of your firewall are configured with root hints pointing to the root servers for the Internet.
All Internet name resolution is performed by using proxy servers and gateways.
High-Level DNS Security Policy
High-level DNS security uses the same configuration as mid-level security and also uses the security features available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. Also, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required. High-level security policy includes the following characteristics:
The DNS infrastructure of your organization has no Internet communication by means of internal DNS servers.
Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal.
DNS servers that are configured with forwarders use internal DNS server IP addresses only.
All DNS servers limit zone transfers to specified IP addresses.
DNS servers are configured to listen on specified IP addresses.
Secure cache against pollution is enabled on all DNS servers.
Internal DNS servers are configured with root hints that point to the internal DNS servers hosting the root zone for your internal namespace.
Secure dynamic update is configured for all DNS zones except for the top-level and root zones, which do not allow dynamic updates at all.
All DNS servers are running on domain controllers. An access control list (ACL) is configured on the DNS Server service to allow only specific individuals to perform administrative tasks on DNS servers.
All DNS zones are stored in Active Directory. An ACL is configured to allow only specific individuals to create, delete, or modify DNS zones.
ACLs are configured on DNS resource records to allow only specific individuals to create, delete, or modify DNS data.
Note
- Windows Server 2003 DNS does not support the use of DACLs on zones to control which clients or users can send queries to the DNS server.
Cache Pollution Protection
When cache pollution protection is enabled, the DNS server disregards DNS resource records that originate from DNS servers that are not authoritative for the resource records. Cache pollution protection is a significant security enhancement; however, when cache pollution protection is enabled, the number of DNS queries can increase.
In Windows Server 2003 DNS, cache pollution protection is enabled by default. You can disable cache pollution protection to reduce the number of DNS queries; however, to ensure the security of your system, it is strongly recommended that you leave cache pollution protection enabled on your DNS servers.
For information about cache pollution protection, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).