Securing Domain Name System Clients
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following Domain Name System (DNS) client considerations have security implications for DNS clients in a DNS infrastructure:
Whenever possible, specify static Internet Protocol (IP) addresses for the preferred and alternate DNS servers that are to be used by a DNS client. If a DNS client is configured to obtain its DNS server addresses automatically, it will obtain them from a Dynamic Host Configuration Protocol (DHCP) server. While this method of obtaining DNS server addresses is secure, it is only as secure as the DHCP server. By configuring DNS clients with static IP addresses for the preferred and alternate DNS servers, you eliminate one possible avenue of attack.
Control which DNS clients have access to the DNS server. If a DNS server is configured to listen only on specific IP addresses, only DNS clients that are configured to use these IP addresses as preferred and alternate DNS servers will contact the DNS server.
For more information about planning DNS, see Deploying Domain Name System (DNS) on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45677).
To begin this task, perform the following requirements:
To complete this task, perform the following procedures:
Configure DNS settings in Network Connections.
Restrict the DNS server to listen on selected IP addresses.