Security Information for DNS

Applies To: Windows Server 2008 R2

Domain Name System (DNS) was originally designed as an open protocol. Therefore, it is vulnerable to attackers. Windows Server 2008 DNS helps improve your ability to prevent an attack on your DNS infrastructure through the addition of security features. Before considering which of the security features to use, you should be aware of the common threats to DNS security and the level of DNS security in your organization.

DNS security threats

The following are the typical ways in which your DNS infrastructure can be threatened by attackers:

  • Footprinting: The process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources. An attacker commonly begins an attack by using this DNS data to diagram, or "footprint," a network. DNS domain and computer names usually indicate the function or location of a domain or computer to help users remember and identify domains and computers more easily. An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network.

  • Denial-of-service attack: An attempt by an attacker to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries. As a DNS server is flooded with queries, its CPU usage eventually reaches its maximum and the DNS Server service becomes unavailable. Without a fully operating DNS server on the network, network services that use DNS become unavailable to network users.

  • Data modification: An attempt by an attacker (that has footprinted a network using DNS) to use valid IP addresses in IP packets the attacker has created, which gives these packets the appearance of coming from a valid IP address in the network. This is commonly called IP spoofing. With a valid IP address (an IP address within the IP address range of a subnet), the attacker can gain access to the network and destroy data or conduct other attacks.

  • Redirection: An attacker redirecting queries for DNS names to servers under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server with erroneous DNS data that may direct future queries to servers under the control of the attacker. For example, if a query is originally made for widgets.tailspintoys.com and a referral answer provides a record for a name outside the tailspintoys.com domain, such as malicious-user.com, the DNS server uses the cached data for malicious-user.com to resolve a query for that name. Attackers can accomplish redirection whenever they have writable access to DNS data, for example, when dynamic updates are not secure.

Mitigating DNS security threats

DNS can be configured to mitigate these common DNS security issues. The following table lists five main areas on which to focus your DNS security efforts.

DNS security area Description

DNS namespace

Incorporate DNS security into your DNS namespace design. For more information, see Securing DNS Deployment.

DNS Server service

Review the default DNS Server service security settings and apply Active Directory security features when the DNS Server service is running on a domain controller. For more information, see Securing the DNS Server Service.

DNS zones

Review the default DNS zone security settings and apply secure dynamic updates and Active Directory security features when the DNS zone is hosted on a domain controller. For more information, see Securing DNS zones.

DNS resource records

Review the default DNS resource record security settings and apply Active Directory security features when the DNS resource records are hosted on a domain controller. For more information, see Securing DNS Resource Records.

DNS clients

Control the DNS server IP addresses that DNS clients use. For more information, see Securing DNS Clients.

Three levels of DNS security

The following sections describe the three levels of DNS security.

Low-level security

Low-level security is a standard DNS deployment without any security precautions configured. Deploy this level of DNS security only in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity. Low-level DNS security has the following characteristics:

  • The DNS infrastructure of the organization is fully exposed to the Internet.

  • Standard DNS resolution is performed by all DNS servers in the network.

  • All DNS servers are configured with root hints pointing to the root servers for the Internet.

  • All DNS servers permit zone transfers to any server.

  • All DNS servers are configured to listen on all of their IP addresses.

  • Cache pollution prevention is disabled on all DNS servers.

  • Dynamic update is allowed for all DNS zones.

  • User Datagram Protocol (UDP) and TCP/IP port 53 is open on the firewall in the network for both source and destination addresses.

Medium-level security

Medium-level security uses the DNS security features that are available without running DNS servers on domain controllers and storing DNS zones in Active Directory Domain Services ( AD DS). Medium-level DNS security has the following characteristics:

  • The DNS infrastructure of the organization has limited exposure to the Internet.

  • All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.

  • All DNS servers limit zone transfers to servers that are listed in the name server (NS) resource records in their zones.

  • DNS servers are configured to listen on specified IP addresses.

  • Cache pollution prevention is enabled on all DNS servers.

  • Nonsecure dynamic update is not allowed for any DNS zones.

  • Internal DNS servers communicate with external DNS servers through the firewall with a limited list of allowed source and destination addresses.

  • External DNS servers in front of the firewall are configured with root hints that point to the root servers for the Internet.

  • All Internet name resolution is performed using proxy servers and gateways.

High-level security

High-level security uses the same configuration as medium-level security. It also uses the security features that are available when the DNS Server service is running on a domain controller and DNS zones are stored in AD DS. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required. High-level DNS security has the following characteristics:

  • The DNS infrastructure of the organization has no Internet communication by internal DNS servers.

  • The network uses an internal DNS root and namespace, where all authority for DNS zones is internal.

  • DNS servers that are configured with forwarders use internal DNS server IP addresses only.

  • All DNS servers limit zone transfers to specified IP addresses.

  • DNS servers are configured to listen on specified IP addresses.

  • Cache pollution prevention is enabled on all DNS servers.

  • Internal DNS servers are configured with root hints pointing to the internal DNS servers that host the root zone for the internal namespace.

  • All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to allow only specific individuals to perform administrative tasks on the DNS server.

  • All DNS zones are stored in AD DS. A DACL is configured to allow only specific individuals to create, delete, or modify DNS zones.

  • DACLs are configured on DNS resource records to allow only specific individuals to create, delete, or modify DNS data.

  • Secure dynamic update is configured for DNS zones, except the top-level and root zones, which do not allow dynamic updates at all.