Checklist: Securing your DNS infrastructure

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Checklist: Securing your DNS infrastructure

Step Reference

To prevent anyone outside of your company from obtaining internal network information, use separate DNS servers for internal and Internet name resolution. Your internal DNS namespace should be hosted on DNS servers behind the firewall for your network. Your external, Internet DNS presence should be managed by a DNS server in a perimeter network (also known as DMZ, demilitarized zone, or screened subnet). To provide Internet name resolution for internal hosts, you can have your internal DNS servers use a forwarder to send external queries to your external DNS server.

Using forwarders; "Windows ServerĀ 2003 DNS" at the Microsoft Windows Resource Kits Web site

To prevent anyone outside of your company from obtaining information about your internal DNS namespace, configure your external router and firewall to only allow DNS traffic between your internal and external DNS servers.

For the DNS servers in your network that are exposed to the Internet, restrict DNS zone transfers to either DNS servers identified in the zone by name server (NS) resource records or to specific DNS servers in your network.


  • If you are using Microsoft Internet Security and Acceleration (ISA) Server, then you may use block filters to define the traffic allowed through the ISA Server.

Modify zone transfer settings; Microsoft Internet Security and Acceleration (ISA) Server Web site

If the server running the DNS Server service is a multihomed computer, then restrict the DNS Server service to only listen on the interface IP address used by its DNS clients and internal servers. For example, a server acting as proxy server may have two network interface cards, one for the intranet and one for the Internet. If that server is also running the DNS Server service, you can configure the service to only listen for DNS traffic on the IP address used by the intranet network interface card.

Restrict a DNS server to listen only on selected addresses

If the server running DNS Server service is a domain controller, then use Active Directory access control lists (ACLs) to secure access control of the DNS Server service.

Modify security for the DNS Server service on a domain controller; Best practices for assigning permissions on Active Directory objects; Best practices for permissions and user rights; Understanding Groups

Use Active Directory-integrated DNS zones. DNS zones stored in Active Directory can take advantage of Active Directory security features, such as secure dynamic update and the ability to apply Active Directory security settings to DNS servers, zones, and resource records.

Change the zone type; Active Directory integration; Allow only secure dynamic updates; Modify security for a directory-integrated zone; Modify security for a resource record

If a DNS zone is not stored in Active Directory, then secure the DNS zone file by modifying permissions on the DNS zone file or on the folder where the zone files are stored. The zone file or folder permissions should be configured to only allow Full Control to the System group. By default, zone files are stored in the systemroot\System32\Dns folder.

Set, view, change, or remove permissions on files and folders

Secure the DNS registry keys. The DNS registry keys can be found in the following registry location:


Add users or groups to the Permissions list

Disable recursion on DNS servers that do not respond to DNS clients directly and are not configured with forwarders. A DNS server only requires recursion if it responds to recursive queries from DNS clients or is configured with a forwarder. DNS servers use iterative queries to communicate with each other.

Disable recursion on the DNS server

Secure the caches of all DNS servers against names pollution.

Secure server cache against names pollution

If you have a private internal DNS namespace, then configure the root hints on your internal DNS servers to only point to the DNS servers hosting your internal root domain and not the DNS servers hosting the Internet root domain.

Update root hints on the DNS server; Updating root hints