DNS Security

DNS security

Domain Name System (DNS) was originally designed as an open protocol and is therefore vulnerable to attackers. Windows Server 2003 DNS has improved the ability to prevent an attack on your DNS infrastructure through the three levels of DNS security.

Low-level security

Low-level security is the default DNS deployment without any security precautions configured. Only deploy this level of DNS security in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity. Here are the following features of the low-level DNS security:

•	The DNS infrastructure of your organization is fully exposed to the Internet.
•	Standard DNS resolution is performed by all DNS servers in your network.
•	All DNS servers are configured with root hints pointing to the root servers for the Internet.
•	All DNS servers permit zone transfers to any server.
•	All DNS servers are configured to listen on all of their IP addresses.
•	Cache pollution prevention is disabled on all DNS servers.
•	Dynamic update is allowed for all DNS zones.
•	User Datagram Protocol (UDP) and Transmission Control Protocol/Internet Protocol (TCP/IP) port 53 is open on the firewall for your network for both source and destination addresses.

Medium-level security

Medium-level security uses the DNS security features available without running DNS servers on domain controllers and storing DNS zones in Active Directory.

•	The DNS infrastructure of your organization has limited exposure to the Internet.
•	All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.
•	All DNS servers limit zone transfers to servers listed in the name server (NS) resource records in their zones.
•	DNS servers are configured to listen on specified IP addresses.
•	Cache pollution prevention is enabled on all DNS servers.
•	Nonsecure dynamic update is not allowed for any DNS zones.
•	Internal DNS servers communicate with external DNS servers through the firewall with a limited list of source and destination addresses allowed.
•	External DNS servers in front of your firewall are configured with root hints pointing to the root servers for the Internet.
•	All Internet name resolution is performed using proxy servers and gateways.

High-level security

High-level security uses the same configuration as medium-level security and also uses the security features available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required.

•	The DNS infrastructure of your organization has no Internet communication by internal DNS servers.
•	Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal.
•	DNS servers that are configured with forwarders use internal DNS server IP addresses only.
•	All DNS servers limit zone transfers to specified IP addresses.
•	DNS servers are configured to listen on specified IP addresses.
•	Cache pollution prevention is enabled on all DNS servers.
•	Internal DNS servers are configured with root hints pointing to the internal DNS servers hosting the root zone for your internal namespace.
•	All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to only allow specific individuals to perform administrative tasks on the DNS server.
•	All DNS zones are stored in Active Directory. A DACL is configured to only allow specific individuals to create, delete, or modify DNS zones.
•	DACLs are configured on DNS resource records to only allow specific individuals to create, delete, or modify DNS data.
•	Secure dynamic update is configured for DNS zones, except the top-level and root zones, which do not allow dynamic updates at all.