To help secure the Domain Name System (DNS) servers in your network, use the following guidelines.
Examine and configure the default DNS Server service settings that affect security
The following configuration options for the DNS Server service have security implications for both the standard and the Active Directory-integrated DNS Server service.
Default setting | Description |
---|---|
Interfaces |
By default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries using all of its IP addresses. Limit the IP addresses that the DNS Server service listens on to the IP address that its DNS clients use as their preferred DNS server. For more information, see Restrict a DNS server to listen only on selected addresses. |
Secure cache against pollution |
By default, the DNS Server service is secured from cache pollution, which results when DNS query responses contain nonauthoritative or malicious data. The Secure cache against pollution option helps prevent an attacker from successfully polluting the cache of a DNS server with resource records that were not requested by the DNS server. Changing this default setting reduces the integrity of the responses that are provided by DNS Server service. For more information, see Secure the Server Cache Against Names Pollution. |
Disable recursion |
By default, recursion is not disabled for the DNS Server service. This makes it possible for the DNS server to perform recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion may be used by attackers to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, it should be disabled. For more information, see Disable Recursion on the DNS Server |
Root hints |
If you have an internal DNS root in your DNS infrastructure, configure the root hints of internal DNS servers to point only to the DNS servers that host your root domain, not the DNS servers that host the Internet root domain. This prevents your internal DNS servers from sending private information over the Internet when they resolve names. For more information, see Update Root Hints on the DNS Server and Updating Root Hints. |
Manage the DACL on DNS servers running on domain controllers
In addition to the already described default DNS Server service settings that affect security, DNS servers that are configured as domain controllers use a discretionary access control list (DACL). You can use the DACL to control the permissions for the Active Directory users and groups that control the DNS Server service.
The following table lists the default group or user names and permissions for the DNS Server service when it is running on a domain controller.
Group or user names | Permissions |
---|---|
Administrators |
Allow: Read, Write, Create All Child objects, Special Permissions |
Creator Owner |
Special Permissions |
DnsAdmins |
Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions |
Domain Admins |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
Enterprise Admins |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
Enterprise Domain Controllers |
Allow: Special Permissions |
Pre-Windows 2000 Compatible Access |
Allow: Special Permissions |
System |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
When the DNS Server service is running on a domain controller, you can manage its DACL using the Active Directory object MicrosoftDNS. Configuring the DACL on the MicrosoftDNS object has the same effect as configuring the DACL on the DNS server in DNS Manager, which is the recommended method. Consequently, the security administrators of Active Directory objects and DNS servers should be in direct contact to ensure that the administrators do not reverse each other's security settings.
For more information, see Security Information for DNS.