Securing a Zone

Applies To: Windows Server 2008

You can enhance the security of your Domain Name System (DNS) infrastructure by taking steps to secure the zones that your DNS servers host.

Zones can be compromised in one of two ways:

  • By unauthorized changes to the zone

  • By unauthorized access to zone data

Unauthorized changes to the zone can occur as a result of dynamic updates to the zone that an attacker might perform. You can help prevent this type of attack by ensuring that only secure dynamic updates can be performed.

Unauthorized access to zone data can occur when an attacker sets up a secondary server that can receive zone transfers from an improperly configured, primary DNS server. You can help prevent this type of attack by configuring zones to be transferred only to authorized DNS servers.

Finally, for zones that are stored in Active Directory Domain Services (AD DS), you can configure the access control list (ACL) to prevent the zone from being modified or accessed by unauthorized users.

To complete this task, you can perform the following procedures: