Securing DNS deployment
When you design your Domain Name System (DNS) server deployment, use the following DNS security guidelines:
If your network hosts are not required to resolve names on the Internet, eliminate DNS communication with the Internet.
In this DNS design, you can use a private DNS namespace that is hosted entirely in your network. The private DNS namespace is distributed just as the Internet DNS namespace, with your internal DNS servers hosting zones for the root domain and top-level domains.
Split the DNS namespace for your organization between internal DNS servers behind the firewall and external DNS servers in front of the firewall.
In this DNS design, your internal DNS namespace is a subdomain of your external DNS namespace. For example, if the Internet DNS namespace for your organization is tailspintoys.com, the internal DNS namespace for your network is corp.tailspintoys.com.
Host your internal DNS namespace on internal DNS servers and host your external DNS namespace on external DNS servers that are exposed to the Internet.
To resolve queries for external names that are made by internal hosts, the internal DNS servers in this DNS design forward queries for external names to the external DNS servers. External hosts use only the external DNS servers for Internet name resolution.
Configure your packet-filtering firewall to allow only UDP and TCP port 53 communication between your external DNS server and a single internal DNS server.
This DNS design facilitates communication between internal and external DNS servers and prevents any other external computer from gaining access to your internal DNS namespace.
For more information, see Security Information for DNS.