|
DNS security
Domain Name System (DNS) was
originally designed as an open protocol and is therefore vulnerable to
attackers. Windows Server 2003 DNS has improved the ability to prevent an
attack on your DNS infrastructure through the three levels of DNS security.
Low-level security
Low-level security is the default DNS deployment without any security
precautions configured. Only deploy this level of DNS security in network
environments where there is no concern for the integrity of your DNS data or
in a private network where there is no threat of external connectivity. Here
are the following features of the low-level DNS security:
• |
The DNS infrastructure of your
organization is fully exposed to the Internet. |
• |
Standard DNS resolution is performed by
all DNS servers in your network. |
• |
All DNS servers are configured with root
hints pointing to the root servers for the Internet. |
• |
All DNS servers permit zone transfers to
any server. |
• |
All DNS servers are configured to listen
on all of their IP addresses. |
• |
Cache pollution prevention is disabled on
all DNS servers. |
• |
Dynamic update is allowed for all DNS
zones. |
• |
User Datagram Protocol (UDP) and
Transmission Control Protocol/Internet Protocol (TCP/IP) port 53 is open
on the firewall for your network for both source and destination
addresses. |
Medium-level security
Medium-level security uses the DNS security features available without
running DNS servers on domain controllers and storing DNS zones in Active
Directory.
• |
The DNS infrastructure of your
organization has limited exposure to the Internet. |
• |
All DNS servers are configured to use
forwarders to point to a specific list of internal DNS servers when they
cannot resolve names locally. |
• |
All DNS servers limit zone transfers to
servers listed in the name server (NS) resource records in their zones. |
• |
DNS servers are configured to listen on
specified IP addresses. |
• |
Cache pollution prevention is enabled on
all DNS servers. |
• |
Nonsecure dynamic update is not allowed
for any DNS zones. |
• |
Internal DNS servers communicate with
external DNS servers through the firewall with a limited list of source
and destination addresses allowed. |
• |
External DNS servers in front of your
firewall are configured with root hints pointing to the root servers for
the Internet. |
• |
All Internet name resolution is performed
using proxy servers and gateways. |
High-level security
High-level security uses the same configuration as medium-level security and
also uses the security features available when the DNS Server service is
running on a domain controller and DNS zones are stored in Active Directory.
In addition, high-level security completely eliminates DNS communication
with the Internet. This is not a typical configuration, but it is
recommended whenever Internet connectivity is not required.
• |
The DNS infrastructure of your
organization has no Internet communication by internal DNS servers. |
• |
Your network uses an internal DNS root and
namespace, where all authority for DNS zones is internal. |
• |
DNS servers that are configured with
forwarders use internal DNS server IP addresses only. |
• |
All DNS servers limit zone transfers to
specified IP addresses. |
• |
DNS servers are configured to listen on
specified IP addresses. |
• |
Cache pollution prevention is enabled on
all DNS servers. |
• |
Internal DNS servers are configured with
root hints pointing to the internal DNS servers hosting the root zone
for your internal namespace. |
• |
All DNS servers are running on domain
controllers. A discretionary access control list (DACL) is configured on
the DNS Server service to only allow specific individuals to perform
administrative tasks on the DNS server. |
• |
All DNS zones are stored in Active
Directory. A DACL is configured to only allow specific individuals to
create, delete, or modify DNS zones. |
• |
DACLs are configured on DNS resource
records to only allow specific individuals to create, delete, or modify
DNS data. |
• |
Secure dynamic update is configured for
DNS zones, except the top-level and root zones, which do not allow
dynamic updates at all. |
Related Topics
|
|