Checklist: Implementing a Secure DNS Configuration

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

To reduce the chances of an attacker being able to compromise the integrity of your DNS infrastructure, it is important to ensure that DNS servers are configured with best practices for DNS security. This checklist provides links to important concepts and procedures you can use to implement a secure DNS configuration.

When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or you complete the tasks in the subordinate checklist so that you can proceed with the remaining tasks in this checklist.

Checklist Checklist: Implementing a secure DNS configuration


  Task Reference

Determine which DNS security threats are most significant to your environment, and determine the level of security that is required.

Conceptual topic Securing DNS

Conceptual topic Security Information for DNS


For the DNS servers in your network that are exposed to the Internet, if zone transfer must be enabled, restrict DNS zone transfers to either DNS servers identified in the zone by name server (NS) resource records or to specific DNS servers in your network. If zone transfers are not required then disable this setting.

Checklist topic Restrict Zone Transfers


DNS zones that are stored in Active Directory Domain Services (AD DS) can take advantage of Active Directory security features, such as secure dynamic update and the ability to apply AD DS security settings to DNS servers, zones, and resource records.

You should only take advantage of these features if the DNS server is already a domain controller.

Checklist topic Configure AD Integrated Zones

Checklist topic Configure the Discretionary Access Control List (DACL)

Checklist topic Allow Only Secure Dynamic Updates


Configure the Global Query Block List if you wish to specify resource records that will be blocked by the authoritative DNS server when it receives a DNS query.

Conceptual topic Managing the Global Query Block List

Checklist topic Configure the Global Query Block List


When you configure the socket pool, the DNS server will pick a random source port from a pool of sockets that it opens when the service starts. This provides additional protection against cache poisoning attacks.

Checklist topic Configure the Socket Pool.


When you configure cache locking, the DNS server will not allow overwriting of cached resource records. This provides additional protection against cache poisoning attacks.

Checklist topic Configure Cache Locking.


If the server running the DNS Server service is a multihomed computer, restrict the DNS Server service to listen only on the interface IP address that is used by its DNS clients and internal servers. For example, a server acting as proxy server may have two network adapters, one for the intranet and one for the Internet. If that server is also running the DNS Server service, you can configure the service to listen for DNS traffic only on the IP address that the intranet network adapter uses.

Checklist topic Restrict DNS servers to listen only on selected interfaces


If you have a private, internal DNS namespace, configure the root hints on your internal DNS servers to point only to the DNS servers that host your internal root domain and not the DNS servers that host the Internet root domain.

Checklist topic Configure Internal Root Hints


Disable recursion on all DNS servers that do not require it. A DNS server requires recursion only if it is configured with a forwarder, or if it must resolve domain names for which it is not authoritative or are not cached.

Checklist topic Disable Recursion on the DNS Server


Ensure that default server options that secure the caches of all DNS servers against names pollution have not changed. Names pollution occurs when DNS query responses contain nonauthoritative or malicious data.

Checklist topic Secure the DNS Cache


Configure IPsec policy settings to protect zone transfers between primary and secondary DNS servers.

Checklist topic Secure Zone Transfers with IPsec

See Also

Community Additions