Securing the DNS Server service

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Securing the DNS Server service

To secure the DNS servers in your network, use the following guidelines:

  • Examine and configure the default DNS Server service settings that affect security. The following DNS Server service configuration options have security implications for both the standard and the Active Directory-integrated DNS Server service.

    Default setting Description

    Interfaces

    By default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries using all of its IP addresses. Limit the IP addresses the DNS Server service listens on to the IP address used by its DNS clients as their preferred DNS server.

    For more information, see Restrict a DNS server to listen only on selected addresses.

    Secure cache against pollution

    By default, the DNS Server service is secured from cache pollution, which results when DNS query responses contain nonauthoritative or malicious data. The Secure cache against pollution option prevents an attacker from successfully polluting the cache of a DNS server with resource records that were not requested by the DNS server. Changing this default setting will reduce the integrity of the responses provided by DNS Server service.

    For more information, see Secure server cache against names pollution.

    Disable recursion

    By default, recursion is not disabled for the DNS Server service. This enables the DNS server to perform recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion can be used by attackers to deny the DNS Server service and therefore if a DNS server in your network is not intended to receive recursive queries, it should be disabled.

    For more information, see Disable recursion on the DNS server.

    Root hints

    If you have an internal DNS root in your DNS infrastructure, configure the root hints of internal DNS servers to only point to the DNS servers hosting your root domain and not the DNS servers hosting the Internet root domain. This will prevent your internal DNS servers from sending private information over the Internet when resolving names.

    For more information, see Update root hints on the DNS server and Updating root hints.

    For more information about default DNS Server service settings, see Restore server default preferences.

  • Manage the discretionary access control list (DACL) on DNS servers running on domain controllers. In addition to the default DNS Server service settings that affect security described above, DNS servers configured as domain controllers use a DACL. The DACL allows you to control the permissions for the Active Directory users and groups that control the DNS Server service.

    The following table lists the default group or user names and permissions for the DNS Server service when it is running on a domain controller.

    Group or user names Permissions

    Administrators

    Allow: Read, Write, Create All Child objects, Special Permissions

    Authenticated Users

    Allow: Read, Special Permissions

    Creator Owner

    Special Permissions

    DnsAdmins

    Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions

    Domain Admins

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

    Enterprise Admins

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

    Enterprise Domain Controllers

    Allow: Special Permissions

    Pre-Windows 2000 Compatible Access

    Allow: Special Permissions

    System

    Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

    For more information about assigning permissions on objects, see Best practices for assigning permissions on Active Directory objects, Best practices for permissions and user rights, and Understanding Groups.

    When the DNS Server service is running on a domain controller, its DACL may be managed using the Active Directory object MicrosoftDNS. Configuring the DACL on the MicrosoftDNS Active Directory object has the same effect as configuring the DACL on the DNS server in the DNS console, which is the recommended method. Consequently, the security administrators of Active Directory objects and DNS servers should be in direct contact to ensure that the administrators do not reverse each other's security settings.

    For more information, see Assign, change, or remove permissions on Active Directory objects or attributes.

  • Always use an NTFS file system for DNS servers running a Windows Server 2003 operating system. The NTFS file system is a more powerful file system than FAT and FAT32 and provides a variety of features including Active Directory, which is needed for domains, user accounts, and other important security features.

    For more information about NTFS, see NTFS and NTFS compared to FAT and FAT32.

For more information, see Security information for DNS.