Restrict DNS servers to listen only on selected interfaces
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
A multihomed computer is a computer that has multiple network adapters or that has been configured with multiple IP addresses for a single network adapter. You can use the following procedure to make the DNS server more secure by limiting the IP addresses on which the DNS Server service listens to only the IP addresses that are used by DNS clients as their preferred DNS server. Repeat this procedure if the TCP/IP configuration of the DNS server changes.
Important
By default, a DNS Server service that is running on a multihomed computer listens for DNS queries on all its IP addresses. Use of a multihomed configuration on a DNS server is not recommended.
You can complete this procedure by using the Windows interface or the Dnscmd command-line tool.
Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Restricting a DNS server to listen only on selected addresses
Using the Windows interface
Using a command line
Tip
When you configure an interface to listen on selected IP addresses, add IPv4 and IPv6 addresses at the same time.
To restrict a DNS server to listen only on selected addresses using the Windows interface
Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.
In the console tree, click the name of the DNS server you wish to configure.
On the Action menu, click Properties.
On the Interfaces tab, choose Only the following IP addresses. By default, all IP addresses are selected.
Under IP address, clear the check box next to the IP addresses that will not listen for DNS queries or provide DNS responses, and then click OK.
To restrict a DNS server to listen only on selected addresses using a command line
Open an elevated command prompt.
Type the following command, and then press ENTER:
dnscmd <ServerName> /ResetListenAddresses [<ListenAddress> ...]
| Parameter | Description |
|---|---|
dnscmd |
The command-line tool for managing DNS servers. |
<ServerName> |
Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name. |
/ResetListenAddresses |
Required. Resets the IP addresses of the interfaces on which the DNS server listens. |
<ListenAddress> ... |
Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service listens for DNS message communications on all IP addresses that are configured for the server computer. |
Tip
To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /ResetListenAddresses /help