Developer

Lock down DNS with these tips

Because DNS is integral to the architecture of an Active Directory domain, it's essential that you secure it from the start. In this edition of Security Solutions, Mike Mullins offers some tips for locking down DNS in your organization—from the installation process to maintaining security, find out how you can keep DNS secure.

Ensuring domain name system (DNS) security in your Windows Server 2003 domain is essential. Active Directory (AD) uses DNS to locate domain controllers and other resources (e.g., file, print, mail, etc.) that serve the domain. Because DNS is integral to the architecture of an AD domain, it's essential that you secure it from the start.

When installing DNS on Windows Server 2003, don't change the default setting: Active Directory-integrated DNS. Microsoft made this setting change to AD in 2000.

That means the system will only store DNS data on DNS servers—it won't store or replicate the information on domain controllers or global catalog servers. This increases the speed and efficiency of all three types of servers.

Securing the transfer of data between the DNS server and clients (or other servers) is also crucial. DNS uses TCP/UDP port 53; by filtering this port at different points in your security boundary, you can ensure that the DNS server receives only authorized connections.

In addition, this is an excellent time to implement IPSec to secure traffic from your DNS clients and servers. Enabling IPSec ensures the validation and encryption of all communications between the client and the server. This means that your clients talk only to authorized servers and helps prevent request spoofing or tampering.

After deploying the DNS server, continue to monitor connections as you would any other high-value target in your enterprise. DNS servers need available bandwidth to service client requests.

If you witness high volumes of network traffic from a single source machine directed toward your DNS server, you could be under a denial-of-service (DoS) attack. Throttle the connection from the source, or sever the connection until you can investigate the problem. Don't forget that a successful DoS attack against your DNS server can render AD nonfunctional.

By using the default setting (Secure Dynamic Update), only authenticated clients in your forest can register and update entries in the DNS server. This prevents an attacker from populating your DNS with entries that misdirect clients to counterfeit Web sites designed to trick users into divulging financial data.

You can also use quotas to prevent the flooding of DNS from a client. Clients typically register a maximum of 10 records in DNS. By limiting the number of objects a single client can register, you can prevent a client from starting a DoS attack against its own DNS server.

Note: Make sure you apply a different quota to DHCP servers, domain controllers, and multi-homed servers. These servers may need to register hundreds of objects depending on their function and number of users.

DNS servers will respond to any query for a zone for which they have authority. To keep your internal network structure hidden from the outside world, always configure a split namespace, which basically means that one DNS server holds your internal DNS infrastructure, and another DNS server contains your public or Internet DNS infrastructure. By blocking external users from accessing your internal DNS servers, you can prevent disclosure of non-public internal resources.

More resources

For more information about locking down DNS in your organization, check out these articles:

Final thoughts

Regardless of whether you run a Windows network or a combination of UNIX and Windows boxes, DNS security should be at the heart of your network. Take steps to protect DNS from both public and internal attacks—your Internet-browsing users will thank you.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox