Non–Active Directory–Integrated DNS Security
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
This guide focuses on using Active Directory–integrated zones, which is the recommended practice for DNS deployment. Although details about file-based DNS deployments (non–Active Directory–integrated deployments) are not presented here, setting NTFS file permissions on zone files is important enough to mention. DNS database files are stored in a plaintext format. Any user who can gain access to the disk drive where these files are stored can open these files with a text editor, such as Notepad, and make changes. You can use NTFS file permissions to prevent this type of access, although you should make sure that any changes do not prevent normal system access.
Recommendations: Securing DNS
The following sections summarize the recommendations in this chapter for increasing the security of a DNS environment that is used to support Active Directory.
Recommendations for Deploying Secure DNS
Recommendations for making the DNS environment more secure when you are using Active Directory–integrated zones are:-.
Protecting DNS Servers
Use Active Directory–integrated DNS zones.
Implement IPsec between DNS clients and servers.
Monitor network activity.
Close all unused firewall ports.
Protecting DNS Data
Use secure dynamic update.
Use quotas to limit the number of DNS resource records that can be registered.
Ensure that only trusted individuals are granted DNS administrator privileges.
Delegate administration of DNS data.
Use appropriate routing mechanisms.
Use separate internal and external DNS namespaces.
Disable recursion on internal DNS servers.
Recommendations for Non–Active Directory–Integrated DNS Security
Recommendations for making your DNS environment more secure when you are not using Active Directory–integrated zones are:
Non–Active Directory–Integrated DNS Security
- Set NTFS file permissions on zone files