Securing a Zone
Updated: May 9, 2008
Applies To: Windows Server 2008
You can enhance the security of your Domain Name System (DNS) infrastructure by taking steps to secure the zones that your DNS servers host.
Zones can be compromised in one of two ways:
By unauthorized changes to the zone
By unauthorized access to zone data
Unauthorized changes to the zone can occur as a result of dynamic updates to the zone that an attacker might perform. You can help prevent this type of attack by ensuring that only secure dynamic updates can be performed.
Unauthorized access to zone data can occur when an attacker sets up a secondary server that can receive zone transfers from an improperly configured, primary DNS server. You can help prevent this type of attack by configuring zones to be transferred only to authorized DNS servers.
Finally, for zones that are stored in Active Directory Domain Services (AD DS), you can configure the access control list (ACL) to prevent the zone from being modified or accessed by unauthorized users.
To complete this task, you can perform the following procedures: