Secure DNS Deployment Guide
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
The Domain Name System (DNS) protocol is particularly vulnerable to attack due to an inherent lack of authentication and integrity checking of data that is exchanged between DNS servers or provided to DNS clients. Successful attacks can be especially disruptive because of the critical role that DNS plays in most networks. Therefore, it is important to evaluate the security of your DNS infrastructure and consider the advantages of deploying security features that are provided for the DNS Server role in Windows Server. This documentation provides guidance for using these security features.
About this guide
This guide is intended for use by system administrators and system engineers. It provides detailed guidance for configuring and deploying a secure Microsoft DNS infrastructure using Windows Server® 2008 R2. If your organization has deployed a Microsoft DNS infrastructure using an earlier version of Windows Server, you can still use this guide to review the secure DNS settings and infrastructure guidelines that are provided. Some enhancements to Microsoft DNS security, such as DNS Security Extensions (DNSSEC) are only available with Windows Server 2008 R2.
This guide provides steps for the following:
Use the checklists in Implementing a Secure DNS Design to configure your Microsoft DNS infrastructure with recommended security settings.
Terminology used in this guide
For a list of terms introduced by DNSSEC, see DNSSEC Terminology.
Planning Your Secure DNS Deployment
Appendix A: Reviewing Key DNSSEC Concepts