Domain Name System (DNS) is the primary name registration and resolution service used in Windows Server 2003. DNS provides a hierarchically distributed and scalable database; provides name registration and name resolution services, and service location for Windows 2000 and Windows Server 2003 clients; and locates domain controllers for logon. A DNS server is a computer running the DNS Server service that provides these domain name services.

The common threats to DNS servers are:

  • Denial-of-service (DoS) attacksoccur when DNS servers are flooded with recursive queries in an attempt to prevent the DNS server from servicing legitimate client requests for name resolution. A successful DoS attack can result in the unavailability of DNS services, and in the shut down of the network.
  • Footprinting occurs when an intruder intercepts DNS zone information to discover the DNS domain names, computer names, and IP addresses which are being used on the network. The intruder then uses this information to decide on which computers to attack.
  • IP Spoofing: After an intruder has obtained a valid IP address from a footprinting attack, the intruder can use the IP address to send malicious packets to the network, and access network services. The intruder can also use the IP address to modify data.
  • A redirection attack occurs when an intruder is able to make the DNS server forward or redirect name resolution requests to the incorrect servers. In this case, the incorrect servers are under the control of the intruder. A redirection attack is achieved by an intruder corrupting the DNS cache in a DNS server that accepts unsecured dynamic updates.Securing DNS Servers

DNS security recommendations

A few DNS security recommendations are listed here:

  • Your DNS servers should not respond to name resolution requests from any unauthorized networks. DNS servers should respond to requests from internal interfaces only.
  • To prevent other servers from discovering DNS zone records that contain important information, zone transfers should be targeted at specific DNS servers.
  • To protect your DNS servers from spoofing of DNS records, you should use the only secure dynamic updates option for dynamic update.
  • To further enhance security for DNS zone files data, consider using Active Directory Integrated zones if you are using Active Directory. An Active Directory-integrated zone is a zone that stores its zone data in Active Directory. DNS zone files are not used to store data for these zones. An Active Directory-integrated zone is an authoritative primary zone. Active Directory-integrated zones enjoy the security features of Active Directory.
  • You should consider configuring the Secure cache against pollution option to further protect your DNS servers from an intruder that might be attempting to pollute the DNS cache with the incorrect information.

To enable only secure dynamic updates,

  1. Click Start, Administrative Tools, and then click DNS to open the DNS console.
  2. In the console tree, right-click the DNS zone that you want to configure, and then select Properties from the shortcut menu.
  3. Verify that the zone type configured for the zone on the General tab is Active Directory-integrated zone.
  4. In the Dynamic Updates drop-down list box, select the Secure only option
  5. Click OK.

To configure the Secure cache against pollution option,

  1. Click Start, Administrative Tools, and then click DNS.
  2. In the console tree, right-click the DNS server that you want to configure, and then select Properties to open the DNS Server’s Properties dialog box.
  3. Click the Advanced tab.
  4. In the Server Options list, click the Secure Cache Against Pollution checkbox.
  5. Click OK

For DNS zones that are not stored in Active Directory, it is recommended that yu implement the following security strategies:

  1. Change the permissions on the zone file or on the folder that contains the zone files to only allow the Full Control permission to the System group.
  2. In the Registry, in HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDNS, secure the DNS registry keys.

For DNS servers that do not respond to client requests directly, and who are not DNS forwarders, implement the security strategy listed below. DNS forwarders are the DNS servers used to forward DNS queries for different DNS namespace to those DNS servers who can answer the query. A DNS server is configured as a DNS forwarder when you configure the other DNS servers to direct any unresolved queries to the specific DNS server:

  • Disable recursion: If a DNS server cannot find the queried name in its zone information, or in its cache; the DNS server performs recursion to resolve the name. This is the default configuration for DNS servers. Recursion is the process whereby which the DNS server queries other DNS servers for the client.

To disable recursion,

  1. Click Start, Administrative Tools, and then click DNS to open the DNS management console.
  2. In the console tree, right-click the DNS server that you want to configure, and then select Properties to open the DNS Server’s Properties dialog box.
  3. Switch to the Advanced tab.
  4. In the Server Options list, enable the Disable recursion (also disables forwarders) checkbox so that the DNS server no longer performs recursion to resolve client queries.
  5. Click OK.

For DNS servers that do not resolve Internet names, implement the security strategy listed below:

  • Configure the root hints to point to only those DNS servers for your root domain. Root hints is a collection of resource records which the DNS Server service utilizes to locate DNS servers who are authoritative for the root of the DNS domain namespace structure. If you are using Windows Server 2003 DNS, a preconfigured root hints file named Cache.dns already exists. Cache.dns contains the addresses of root servers in the Internet DNS namespace, and is preloaded to memory when the DNS Server service initiates. If you want to create your own custom root hints, then you have to delete the Internet root servers and add the correct information for your environment.

To configure the root hints to point to only those DNS servers for your root domain,

  1. Click Start, Administrative Tools, and then click DNS to open the DNS management console.
  2. Click the Action menu item, and select the Properties command.
  3. Switch to the Root Hints tab.
  4. If you want to add a root server, click the Add button and enter the DNS server name and IP address that should be added to the list.
  5. If you want to delete an existing root server, select the specific server and then click the Remove button.
  6. Click OK.

Microsoft specifies three levels of implementing DNS security. The high-level security configuration provides the most security for DNS servers. The high-level security configuration consists of a DNS server hosted on a domain controller, with DNS zone information being stored in Active Directory.

A few high-level security configuration characteristics are listed here:

  • Internal DNS servers are not exposed to the Internet.
  • DNS servers are hosted on domain controllers.
  • Active Directory-integrated zones are the only zone type configured.
  • Zone data is stored in Active Directory, and only secure dynamic updates are allowed.
  • DNS zone transfer only takes place to specific IP addresses

Basic Security Measures for DNS Servers

Basic security measures for securing the DNS server role are listed here:

  • Physically secure your DNS servers.
  • The NTFS file system should be utilized to protect data on the system volume.
  • Apply and maintain a strong virus protection solution.
  • Software patches should be kept up to date.
  • If applicable, programs should only be allowed to be installed when they have trusted sources.
  • All unnecessary services and applications not being used on DNS servers should be deleted.
  • Secure the Administrator and Guest well-known accounts.

Recommendations for Securing DNS Servers Attached to the Internet

A few recommendations for securing DNS servers that are attached to the Internet are listed here:

  • DNS servers that are attached to the Internet should be placed in a perimeter network so that internal network resources can be secured from the public Internet.
  • Use a firewall solution to configure access rules and packet filtering to filter both source and destination addresses and ports.
  • Remove all unnecessary services from these DNS servers.
  • Limit the number of DNS servers that are allowed to start a DNS zone transfer. Zone transfer should also only be allowed to specific IP addresses
  • Consider using IPSec to secure zone replication traffic.
  • Consider adding a second DNS server on a different subnet to further augment protection from DoS attacks.
  • Regularly monitor your DNS servers and the DNS log files.

Recommendations for Securing DNS Servers not Attached to the Internet

A few recommendations for securing DNS servers that are not attached to the Internet are listed here:

  • Access to internal DNS servers from the Internet should be prohibited.
  • To use the additional security features of Active Directory, use Active Directory-integrated zones as the DNS zone type.
  • Allow only secure dynamic updates.
  • Limit the number of DNS servers that are allowed to receive zone transfer data.
  • Regularly monitor your DNS servers and the DNS log files.

Related Articles on DNS