Securing DNS deployment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When designing your DNS server deployment, use the following DNS security guidelines:

If your network hosts are not required to resolve names on the Internet, eliminate DNS communication with the Internet. In this DNS design, you can use a private DNS namespace that is hosted entirely in your network. The private DNS namespace is distributed just as the Internet DNS namespace, with your internal DNS servers hosting zones for the root domain and top-level domains.
Split the DNS namespace for your organization between internal DNS servers behind the firewall and external DNS servers in front of the firewall. In this DNS design, your internal DNS namespace is a subdomain of your external DNS namespace. For example, if the Internet DNS namespace for your organization is adatum.com, then the internal DNS namespace for your network is corp.adatum.com.
Host your internal DNS namespace on internal DNS servers and host your external DNS namespace on external DNS servers exposed to the Internet. To resolves queries for external names made by internal hosts, the internal DNS servers forward queries for external names to the external DNS servers. External hosts use only the external DNS servers for Internet name resolution.
Configure your packet-filtering firewall to only allow UDP and TCP port 53 communication between your external DNS server and a single internal DNS server. This will facilitate communication between internal and external DNS servers and prevent any other external computer from gaining access to your internal DNS namespace.

Additional resources