Securing DNS for Windows (Part 2)

If you missed the first part in this article series please read Securing DNS for Windows (Part 1).

In the last article I reviewed some basic security concepts of DNS, including some basics of DNS itself. Some of the security concepts included making DNS Active Directory integrated and establishing a more secure DNS environment with communication with DHCP. These are some easy and powerful configurations to make for your DNS environment. Don’t stop there though! You are just touching the surface as regards to securing your DNS environment. In this installment of securing DNS, we will go deeper into DNS and how the DNS database is secured, especially with communication with other DNS servers. DNS servers must communicate to update the database on other DNS servers. This communication can be an ideal situation for an attacker to pounce on any vulnerability that is exposed. If you take the correct precautions and establish secure DNS configurations, your exposure will be reduced.

Zone transfers

When it comes to DNS zones, you must understand there are different types of zones that you can establish within your DNS environment. Although we are going to focus on a few of the possible zones, here is a list of all of the zones that you can establish in DNS:

  • Active Directory integrated Zone

  • Primary Zone

  • Secondary Zone

  • Stub Zone

In the last installment, we discussed the Active Directory integrated zone. In this discussion, an Active Directory integrated zone functions like a primary zone. The reason for that is that for the purpose of this discussion, a primary zone (also an Active Directory integrated zone) is the zone that performs the “writes” to the DNS database. Secondary zones don’t perform writes to the DNS database. Secondary zones only receive updates from primary DNS zones. The updates from a primary zone to a secondary zone are called a zone transfer.

The zone transfer interface is fairly clear as to your options, as you can see in Figure 1. You can either allow “any” DNS server to receive the contents of the primary zone or you can narrow it to only a few choice DNS servers. Of course, for security purposes, you want to narrow the scope of DNS servers that will be allowed to receive the IP address and domain name of all computers in your organization!

Figure 1: Zone Transfers interface for Windows DNS

Securing zone transfers

You can also take the concept of securing the DNS zone transfers to another level. Making DNS more secure is not a radical concept, most companies today perform additional configurations to secure their DNS zone transfers. There are a few options to secure DNS and the zone transfers. The key is how you have your DNS environment set up.

The first is to use IPSec or a VPN tunnel between the DNS servers to allow for an encrypted communication of the DNS database while it is being sent across the network. IPSec is very common for communications between DNS servers that are on the same network. If your DNS servers must traverse an insecure network, a VPN is used. If you use a VPN to secure the data across an unprotected network, it is common to use L2TP. L2TP uses a more secure encryption algorithm for the protection of the data as it is being sent across the network.

The other option to protect data as it is being sent from DNS server to DNS server is to use Active Directory integration. This does require that the DNS servers function in the Active Directory domain. It also requires that DNS runs on a domain controller. The benefits are significant though. Since the data is stored and replicated through Active Directory replication, the data is encrypted as it is sent from DNS server to DNS server. Another benefit of having DNS function and transfer using Active Directory is that all communications are initially authenticated. This helps protect the zone transfer, forcing the DNS server to authenticate to the Active Directory database before any information is replicated.

Forwarding (all four types)

Another round-about way to help protect your DNS environment is to use the many options for forwarding. This can help you maintain a stable DNS infrastructure, while ensuring that computers and applications can still access the proper server on the network. There are a couple of options for forwarding within a Microsoft DNS environment.

The first is just standard forwarding, shown in Figure 2, which says that all requests that are not meant for the DNS server that is being touched will be sent along to other DNS servers… forwarded. This is ideal for when you have an internal DNS server that is used for all internal, Active Directory and other, names. This DNS server is configured on all clients. However, this DNS server is not aware of any names on the Internet. So, when the DNS server internally receives a request that is meant for the Internet, the query is just forwarded to another DNS server that can handle the request. This helps protect your internal DNS server from housing computers that are external to your network.

Figure 2: Forwarding for a Windows DNS server

Another option is to have the forwarding be more directed. This can again help ensure that all requests are geared toward the proper DNS server, which leaves exposure to incorrect information and corruption at a minimum. This option is called conditional forwarding, shown in the upper part of Figure 2. This could be used in an environment where you have multiple internal DNS namespaces and you don’t want to rely on the Internet or some other elaborate DNS infrastructure to resolve names. Here, you simply have each DNS server forward requests to the other namespace for clients.


DNS can be complicated, but when broken down into small chunks, it is not that complicated, and can be protected properly. Here, you have seen that DNS can protect the database by being configured with the proper DNS servers that should receive zone transfers. In this situation, your primary or Active Directory integrated zones will have specific secondary DNS servers which they will communicate with. Without this configuration, rogue DNS servers could get a hold of key information for your network. Another step is to make your DNS transfers secure. Secure DNS servers can be via Active Directory integration, or more sophisticated technologies like IPSec or a VPN tunnel. Finally, control over your DNS forwarding can ensure a more precise name resolution, as well as help protect your internal DNS servers from becoming corrupted with incorrect information. Forwarding “passes the buck” to another DNS server, leaving your internal DNS servers pristine.

If you missed the first part in this article series please read Securing DNS for Windows (Part 1).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top