Steps to Secure DNS Server Configuration for Windows Server 2008
Of all the network services that you need to manage on your network, DNS is probably the most important one. It's also the service that probably accessed more than any other on the network, since just about every machine on the network needs to be able to resolve names to IP addresses. They might need to resolve internal names, names on other private networks, or names of servers on the Internet. Without a functional DNS infrastructure, your network would be dead in its tracks.
This means that your DNS infrastructure needs to be highly available. In order to make your DNS highly available, the first step is to make it secure. Here are a few recommendations for creating a secure DNS infrastructure:
- Deploy your DNS servers on a Server Core
- Use Read-only Domain Controllers to protect zones by making them read-only
- Put your DNS servers on your domain controllers (internal zones only)
- Configure your internal zones to support only secure dynamic updates from domain member computers
- Be careful regarding zone transfers. Manually configure what machines should be allowed to accept zone transfers, especially for public DNS servers
- Separate servers for internal and external access. Do not put external DNS server in private network security zones
- Use firewalls to segregate internal and external DNS servers into public and private security zones
- Disable recursion on public DNS servers
- Enable recursion only on DNS resolvers intended for that purpose
- Delete public root-hints files on machines not designed for public name resolution
- Configure private root-hints files for your internal DNS namespace
- Configure your DNS servers to protect against cache pollution
Those are some useful things you can do to begin to protect your DNS servers. Of course, you also want to make sure you keep your DNS servers fully updated with Microsoft Update.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)