Restrict a DNS server to listen only on selected addresses

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To restrict a DNS server to listen only on selected addresses

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open DNS.

  2. In the console tree, click the applicable DNS server.

    Where?

    • DNS/applicable DNS server
  3. On the Action menu, click Properties.

  4. On the Interfaces tab, click Only the following IP addresses.

  5. In IP address, type an IP address for the DNS server to be enabled for use, and then click Add.

  6. As needed, repeat the previous step to specify other server IP addresses to be enabled for use by this DNS server.

    If you need to remove an IP address from the list, click it and then click Remove.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open DNS, click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.

  • By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.

  • Server IP addresses that are added here need to be statically managed. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server, update this list accordingly.

  • After you update or revise the list of restricted interfaces, you need to stop and restart the DNS server to apply the new list.

  • Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet, or hosts with a router that connects them to that same segment, will have access to the server.

Using a command line

  1. Open Command Prompt.

  2. Type:

    dnscmd ServerName /ResetListenAddresses [ListenAddress ...]

Value Description

dnscmd

Specifies the name of the command-line tool.

ServerName

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/ResetListenAddresses

Required. Resets the IP addresses of the interfaces on which the DNS server listens.

ListenAddress...

Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics.

  • To view the complete syntax for this command, at a command prompt, type:

    dnscmd ServerName /ResetListenAddresses /help

  • Server IP addresses that are added here need to be statically managed. If later you change or remove addresses specified here from TCP/IP configurations maintained at this server, update this list accordingly.

  • After you update or revise the list of restricted interfaces, you need to stop and restart the DNS server to apply the new list.

  • Restricting the DNS Server service to only listen on specific IP addresses is an effective security measure because only hosts on the same network subnet, or hosts with a router that connects them to that same segment, will have access to the server.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start or stop a DNS server
Configuring multihomed servers
Install Windows Support Tools
Security information for DNS
Securing the DNS Server service
Securing DNS clients