Securing the Domain Name System Server Service

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To secure the Domain Name System (DNS) servers in your network, use the following guidelines:

  • Limit the Internet Protocol (IP) addresses that the DNS Server service listens on to the IP address that is used by its DNS clients as their preferred DNS server. By default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries on all its IP addresses.

  • Leave the Secure cache against pollution option enabled. By default, the DNS Server service is secured from cache pollution, which occurs when DNS query responses contain nonauthoritative or malicious data. The Secure cache against pollution option prevents an attacker from polluting the cache of a DNS server with resource records that were not requested by the DNS server. Changing this default setting reduces the integrity of the responses that are provided by DNS Server service.

  • Disable recursion. By default, recursion is not disabled for the DNS Server service. This enables the DNS server to perform recursive queries on behalf of its DNS clients and the DNS servers that have forwarded DNS client queries to it. Recursion can be used by attackers to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, it should be disabled.

  • If you have an internal DNS root in your DNS infrastructure, configure the root hints of internal DNS servers to point only to the DNS servers that host your root domain, not to the DNS servers that host the Internet root domain. This prevents your internal DNS servers from sending private information over the Internet when they resolve names.

For more information about planning DNS, see Deploying Domain Name System (DNS) on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=45677).

Task requirements

To begin this task, perform the following requirements:

  • Install Dnscmd.

To complete this task, perform the following procedures:

  1. Restrict the DNS server to listen on selected IP addresses

  2. Secure the server cache against names pollution.

  3. Disable recursion

  4. Update root hints

See Also

Other Resources

Deploying Domain Name System (DNS)