Restrict the DNS server to listen on selected IP addresses

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use the following procedure to restrict the DNS Server service to listen only on selected Internet Protocol (IP) addresses. By default, the DNS Server service listens for Domain Name System (DNS) message communications on all configured IP addresses for the server computer. Restricting the DNS Server service to listen only on specific IP addresses is an effective security measure because only hosts on the same network subnet — or hosts with a router that connects them to that same segment — have access to the server.

Note

Server IP addresses that you add with this procedure must be managed statically. If you later change or remove addresses specified here from TCP/IP configurations that are maintained at this server, update this list accordingly.

After you update or revise the list of restricted interfaces, stop and restart the DNS server to apply the new list.

You can perform this procedure by using the DNS snap-in or by using the Dnscmd command-line tool.

Administrative credentials

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as command to perform this procedure.

Restricting the DNS server to listen on selected IP addresses

  • Using the Windows interface

  • Using the command line

To restrict the DNS server to listen on selected IP addresses using the Windows interface

  1. Open the DNS snap-in.

  2. In the console tree, click the applicable DNS server.

    Where?

    • DNS/applicable DNS server

  3. On the Action menu, click Properties.

  4. On the Interfaces tab, click Only the following IP addresses.

  5. In IP address, type an IP address for the DNS server to be enabled for use, and then click Add.

  6. Repeat the previous step as needed to specify other server IP addresses to be enabled for use by this DNS server.

    If you want to remove an IP address from the list, click the IP address, and then click Remove.

Note

To open the DNS snap-in, click Start, point to Administrative Tools, and then click DNS.

To restrict the DNS server to listen on selected IP addresses using the command line

  • At a command prompt, type the following command, and then press ENTER:

    dnscmd ServerName /ResetListenAddresses [ListenAddress...]

    Value Description

    ServerName

    Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

    /ResetListenAddresses

    Required. Resets the IP addresses of the interfaces on which the DNS server listens.

    ListenAddress...

    Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.