Securing DNS Servers That Are Exposed to the Internet

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

DNS servers that are exposed to the Internet are especially vulnerable to attack. You can secure your DNS servers that are exposed to the Internet by doing the following:

• Place the DNS server on a perimeter network instead of your internal network.

  For more information about perimeter networks, see "Deploying ISA Server" in this book.

  Use one DNS server for publicly accessed services inside your perimeter network and a separate DNS server for your private internal network. This reduces the risk of exposing your private namespace, which can expose sensitive names and IP addresses to Internet-based users. It also increases performance because it decreases the number of resource records on the DNS server.

• Add a secondary server on another subnet or network, or on an ISP. This protects you against denial-of-service attacks.

• Eliminate single points of failure by securing your routers and DNS servers, and distributing your DNS servers geographically. Add secondary copies of your zones to at least one offsite DNS server.

• Encrypt zone replication traffic by using Internet Protocol security (IPSec) or virtual private network (VPN) tunnels to hide the names and IP addresses from Internet-based users.

• Configure firewalls to enforce packet filtering for UDP and TCP port 53.

• Restrict the list of DNS servers that are allowed to initiate a zone transfer on the DNS server. Do this for each zone in your network.

• Monitor the DNS logs and monitor your external DNS servers by using Event Viewer.