Securing Internal DNS Servers
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Internal DNS servers are less vulnerable to attack than external DNS servers, but you still need to protect them. To secure your internal DNS servers:
Eliminate any single point of failure. Note, however, that DNS redundancy cannot help you if your clients cannot access any network services. Think about where the clients of each DNS zone are located, and how they resolve names if the DNS server is compromised and unable to answer queries.
Prevent unauthorized access to your servers. Allow only secure dynamic update for your zones and limit the list of DNS servers that are allowed to obtain a zone transfer.
Monitor the DNS logs and monitor your internal DNS servers by using Event Viewer. Monitoring your logs and your server can help you detect unauthorized modifications to your DNS server or zone files.
Implement Active Directory–integrated zones with secure dynamic update.