Share via


Restrict a DNS Server to Listen Only on Selected Addresses

Applies To: Windows Server 2008

A multihomed computer is a computer that has multiple network adapters or that has been configured with multiple IP addresses for a single network adapter. By default, a DNS Server service that is running on a multihomed computer listens for Domain Name System (DNS) queries on all its IP addresses. You can use this procedure to make the DNS server more secure by limiting the IP addresses on which the DNS Server service listens to the IP address that is used by the server’s DNS clients as their preferred DNS server.

You can complete this procedure by using the Windows interface or the Dnscmd command-line tool.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Restricting a DNS server to listen only on selected addresses

  • Using the Windows interface

  • Using a command line

To restrict a DNS server to listen only on selected addresses using the Windows interface

  1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  2. In the console tree, expand DNS, and then click the applicable DNS server.

  3. On the Action menu, click Properties.

  4. On the Interfaces tab, click Only the following IP addresses.

  5. In IP address, type an IP address to be enabled for this DNS server, and then click Add.

  6. Repeat the previous step as necessary to specify other server IP addresses to be enabled for this DNS server.

    To remove an IP address from the list, click it, and then click Remove.

Additional considerations

  • By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer.

  • Server IP addresses that are added here must be managed statically. If you later change or remove the addresses that are specified here from the TCP/IP configurations that are maintained at this server, update this list accordingly.

  • Restricting the DNS Server service to listen only on specific IP addresses is an effective security measure because only hosts on the same network subnet—or hosts with a router that connects them to that same segment—have access to the server.

To restrict a DNS server to listen only on selected addresses using a command line

  1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    dnscmd <ServerName> /ResetListenAddresses [<ListenAddress> ...]
    
Parameter Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/ResetListenAddresses

Required. Resets the IP addresses of the interfaces on which the DNS server listens.

<ListenAddress> ...

Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service listens for DNS message communications on all IP addresses that are configured for the server computer.

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:

dnscmd <ServerName> /ResetListenAddresses /help

Additional considerations

  • Server IP addresses that you add here must be managed statically. If you later change or remove the addresses that are specified here from the TCP/IP configurations that are maintained at this server, update this list accordingly.

  • Restricting the DNS Server service to listen only on specific IP addresses is an effective security measure because only hosts on the same network subnet—or hosts with a router that connects them to that same segment—have access to the server.