Checklist: Securing your DNS infrastructure
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Checklist: Securing your DNS infrastructure
| Step | Reference |
|---|---|
To prevent anyone outside of your company from obtaining internal network information, use separate DNS servers for internal and Internet name resolution. Your internal DNS namespace should be hosted on DNS servers behind the firewall for your network. Your external, Internet DNS presence should be managed by a DNS server in a perimeter network (also known as DMZ, demilitarized zone, or screened subnet). To provide Internet name resolution for internal hosts, you can have your internal DNS servers use a forwarder to send external queries to your external DNS server. |
Using forwarders; "Windows ServerĀ 2003 DNS" at the Microsoft Windows Resource Kits Web site |
To prevent anyone outside of your company from obtaining information about your internal DNS namespace, configure your external router and firewall to only allow DNS traffic between your internal and external DNS servers. For the DNS servers in your network that are exposed to the Internet, restrict DNS zone transfers to either DNS servers identified in the zone by name server (NS) resource records or to specific DNS servers in your network. Note
|
Modify zone transfer settings; Microsoft Internet Security and Acceleration (ISA) Server Web site |
If the server running the DNS Server service is a multihomed computer, then restrict the DNS Server service to only listen on the interface IP address used by its DNS clients and internal servers. For example, a server acting as proxy server may have two network interface cards, one for the intranet and one for the Internet. If that server is also running the DNS Server service, you can configure the service to only listen for DNS traffic on the IP address used by the intranet network interface card. |
|
If the server running DNS Server service is a domain controller, then use Active Directory access control lists (ACLs) to secure access control of the DNS Server service. |
Modify security for the DNS Server service on a domain controller; Best practices for assigning permissions on Active Directory objects; Best practices for permissions and user rights; Understanding Groups |
Use Active Directory-integrated DNS zones. DNS zones stored in Active Directory can take advantage of Active Directory security features, such as secure dynamic update and the ability to apply Active Directory security settings to DNS servers, zones, and resource records. |
Change the zone type; Active Directory integration; Allow only secure dynamic updates; Modify security for a directory-integrated zone; Modify security for a resource record |
If a DNS zone is not stored in Active Directory, then secure the DNS zone file by modifying permissions on the DNS zone file or on the folder where the zone files are stored. The zone file or folder permissions should be configured to only allow Full Control to the System group. By default, zone files are stored in the systemroot\System32\Dns folder. |
Set, view, change, or remove permissions on files and folders |
Secure the DNS registry keys. The DNS registry keys can be found in the following registry location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\ |
|
Disable recursion on DNS servers that do not respond to DNS clients directly and are not configured with forwarders. A DNS server only requires recursion if it responds to recursive queries from DNS clients or is configured with a forwarder. DNS servers use iterative queries to communicate with each other. |
|
Secure the caches of all DNS servers against names pollution. |
|
If you have a private internal DNS namespace, then configure the root hints on your internal DNS servers to only point to the DNS servers hosting your internal root domain and not the DNS servers hosting the Internet root domain. |