Whether it’s configurations within Microsoft DNS service that can be used to make a server more secure, or additional operating system and network environment configurations, there are small measures you can take to help offer greater security for your clients. Here’s a look at some easy DNS-related tips to tighten your client’s security.
Second of two parts
This is the second of two articles that discuss small steps consultants can take to improve security for their clients. The first article in this series discussed quick fixes to secure Windows 2000 DNS services.
Environmental configuration for DNS
DNS servers that manage Active Directory-integrated domains have similar security requirements to domain controllers. Options for securing these are as follows:
- Place the DNS server behind a firewall. Do not run a DNS server with Active Directory services on the Internet.
- If you require communication between your network and the Internet (or external WANs), place a DNS server (not managing Active Directory-integrated domains) that will communicate with your network and the Internet outside your firewall.
Some of you will choose to use your Internet service provider’s DNS servers for this purpose. Place a second DNS server—which can manage Active Directory-integrated domains—inside your firewall. This second DNS server will forward requests to the DNS server outside the firewall for DNS requests.
- Configure Active Directory-integrated domains to use private domain names (for example, techrepublic.local or techrepublic.pbs) or any first-level domain (for example,.local, .trm, .pgf) that isn’t recognized by the public Internet. If you choose this option, you won’t be able to forward DNS requests to DNS servers on the Internet. You can get around this by using a proxy server for clients to send DNS requests over the Internet.
Caution: Consider this carefully. If this is your first domain in the first Active Directory forest, you cannot rename without re-creating your Active Directory structure.
- Use private IP addresses (for example, 10.0.x.x or 192.168.x.x) instead of public IP addresses that are recognized over the Internet. Note: This won’t necessarily help you if you allow traffic to come through your firewall. If an individual gets access to a system on the network from the outside, that person may still be able to locate the DNS servers on the network.
Minimizing DOS attacks
Several registry settings can be used to minimize the likelihood of denial of service (DoS) attacks on a DNS server (or any server, actually). I recommend that, before you attempt to make any changes to the registry on a production system, you test these settings on a non-production server and back up the registry from the production server.
All registry key settings will be configured under this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Table A outlines the settings you can use.
Accessing the registry
To access the registry, complete the following steps:
- Access the Start menu and choose Run.
- Type REGEDIT.
- Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
- Create a new value setting (see Table A) by selecting Edit Menu | New | DWORD.
- Type the name of the value in the selected item in the right panel.
- Double-click the name of the value.
- Type the value.
- Click the OK button.
- Repeat steps 4 through 8 for each value name you want to set.