Restrict the DNS server to listen on selected IP addresses
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use the following procedure to restrict the DNS Server service to listen only on selected Internet Protocol (IP) addresses. By default, the DNS Server service listens for Domain Name System (DNS) message communications on all configured IP addresses for the server computer. Restricting the DNS Server service to listen only on specific IP addresses is an effective security measure because only hosts on the same network subnet — or hosts with a router that connects them to that same segment — have access to the server.
Note
Server IP addresses that you add with this procedure must be managed statically. If you later change or remove addresses specified here from TCP/IP configurations that are maintained at this server, update this list accordingly.
After you update or revise the list of restricted interfaces, stop and restart the DNS server to apply the new list.
You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as command to perform this procedure.
Restricting the DNS server to listen on selected IP addresses
Using the Windows interface
Using the command line
To restrict the DNS server to listen on selected IP addresses using the Windows interface
Open the DNS snap-in.
In the console tree, click the applicable DNS server.
Where?
- DNS/applicable DNS server
On the Action menu, click Properties.
On the Interfaces tab, click Only the following IP addresses.
In IP address, type an IP address for the DNS server to be enabled for use, and then click Add.
Repeat the previous step as needed to specify other server IP addresses to be enabled for use by this DNS server.
If you want to remove an IP address from the list, click the IP address, and then click Remove.
Note
To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.
To restrict the DNS server to listen on selected IP addresses using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /ResetListenAddresses [ListenAddress...]
Value Description ServerName
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/ResetListenAddresses
Required. Resets the IP addresses of the interfaces on which the DNS server listens.
ListenAddress...
Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.