Securing the DNS Server Service

Applies To: Windows Server 2008

To help secure the Domain Name System (DNS) servers in your network, use the following guidelines.

Examine and configure the default DNS Server service settings that affect security

The following configuration options for the DNS Server service have security implications for both the standard and the Active Directory-integrated DNS Server service.

Default setting	Description
Interfaces	By default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries using all of its IP addresses. Limit the IP addresses that the DNS Server service listens on to the IP address that its DNS clients use as their preferred DNS server. For more information, see Restrict a DNS server to listen only on selected addresses.
Secure cache against pollution	By default, the DNS Server service is secured from cache pollution, which results when DNS query responses contain nonauthoritative or malicious data. The Secure cache against pollution option helps prevent an attacker from successfully polluting the cache of a DNS server with resource records that were not requested by the DNS server. Changing this default setting reduces the integrity of the responses that are provided by DNS Server service. For more information, see Secure the Server Cache Against Names Pollution.
Disable recursion	By default, recursion is not disabled for the DNS Server service. This makes it possible for the DNS server to perform recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion may be used by attackers to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, it should be disabled. For more information, see Disable Recursion on the DNS Server
Root hints	If you have an internal DNS root in your DNS infrastructure, configure the root hints of internal DNS servers to point only to the DNS servers that host your root domain, not the DNS servers that host the Internet root domain. This prevents your internal DNS servers from sending private information over the Internet when they resolve names. For more information, see Update Root Hints on the DNS Server and Updating Root Hints.

Manage the DACL on DNS servers running on domain controllers

In addition to the already described default DNS Server service settings that affect security, DNS servers that are configured as domain controllers use a discretionary access control list (DACL). You can use the DACL to control the permissions for the Active Directory users and groups that control the DNS Server service.

The following table lists the default group or user names and permissions for the DNS Server service when it is running on a domain controller.

Group or user names	Permissions
Administrators	Allow: Read, Write, Create All Child objects, Special Permissions
Creator Owner	Special Permissions
DnsAdmins	Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions
Domain Admins	Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects
Enterprise Admins	Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects
Enterprise Domain Controllers	Allow: Special Permissions
Pre-Windows 2000 Compatible Access	Allow: Special Permissions
System	Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

When the DNS Server service is running on a domain controller, you can manage its DACL using the Active Directory object MicrosoftDNS. Configuring the DACL on the MicrosoftDNS object has the same effect as configuring the DACL on the DNS server in DNS Manager, which is the recommended method. Consequently, the security administrators of Active Directory objects and DNS servers should be in direct contact to ensure that the administrators do not reverse each other's security settings.

For more information, see Security Information for DNS.