Checklist: Implementing a Secure DNS Configuration
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
To reduce the chances of an attacker being able to compromise the integrity of your DNS infrastructure, it is important to ensure that DNS servers are configured with best practices for DNS security. This checklist provides links to important concepts and procedures you can use to implement a secure DNS configuration.
Note
When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or you complete the tasks in the subordinate checklist so that you can proceed with the remaining tasks in this checklist.
.gif)
Checklist: Implementing a secure DNS configuration
| Task | Reference | |
|---|---|---|
.gif) |
Determine which DNS security threats are most significant to your environment, and determine the level of security that is required. |
|
|
For the DNS servers in your network that are exposed to the Internet, if zone transfer must be enabled, restrict DNS zone transfers to either DNS servers identified in the zone by name server (NS) resource records or to specific DNS servers in your network. If zone transfers are not required then disable this setting. |
|
|
DNS zones that are stored in Active Directory Domain Services (AD DS) can take advantage of Active Directory security features, such as secure dynamic update and the ability to apply AD DS security settings to DNS servers, zones, and resource records. You should only take advantage of these features if the DNS server is already a domain controller. |
|
|
Configure the Global Query Block List if you wish to specify resource records that will be blocked by the authoritative DNS server when it receives a DNS query. |
|
|
When you configure the socket pool, the DNS server will pick a random source port from a pool of sockets that it opens when the service starts. This provides additional protection against cache poisoning attacks. |
|
|
When you configure cache locking, the DNS server will not allow overwriting of cached resource records. This provides additional protection against cache poisoning attacks. |
|
|
If the server running the DNS Server service is a multihomed computer, restrict the DNS Server service to listen only on the interface IP address that is used by its DNS clients and internal servers. For example, a server acting as proxy server may have two network adapters, one for the intranet and one for the Internet. If that server is also running the DNS Server service, you can configure the service to listen for DNS traffic only on the IP address that the intranet network adapter uses. |
|
|
If you have a private, internal DNS namespace, configure the root hints on your internal DNS servers to point only to the DNS servers that host your internal root domain and not the DNS servers that host the Internet root domain. |
|
|
Disable recursion on all DNS servers that do not require it. A DNS server requires recursion only if it is configured with a forwarder, or if it must resolve domain names for which it is not authoritative or are not cached. |
|
|
Ensure that default server options that secure the caches of all DNS servers against names pollution have not changed. Names pollution occurs when DNS query responses contain nonauthoritative or malicious data. |
|
|
Configure IPsec policy settings to protect zone transfers between primary and secondary DNS servers. |
.gif)
.gif)
See Also
Concepts
Planning Your Secure DNS Deployment
Deploying a Secure DNS Configuration
Deploying DNS Security Extensions (DNSSEC)