Checklist: Implementing a Secure DNS Configuration

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

To reduce the chances of an attacker being able to compromise the integrity of your DNS infrastructure, it is important to ensure that DNS servers are configured with best practices for DNS security. This checklist provides links to important concepts and procedures you can use to implement a secure DNS configuration.


When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or you complete the tasks in the subordinate checklist so that you can proceed with the remaining tasks in this checklist.

Checklist: Implementing a secure DNS configuration

  Task Reference

Determine which DNS security threats are most significant to your environment, and determine the level of security that is required.

Securing DNS

Security Information for DNS

For the DNS servers in your network that are exposed to the Internet, if zone transfer must be enabled, restrict DNS zone transfers to either DNS servers identified in the zone by name server (NS) resource records or to specific DNS servers in your network. If zone transfers are not required then disable this setting.

Restrict Zone Transfers

DNS zones that are stored in Active Directory Domain Services (AD DS) can take advantage of Active Directory security features, such as secure dynamic update and the ability to apply AD DS security settings to DNS servers, zones, and resource records.

You should only take advantage of these features if the DNS server is already a domain controller.

Configure AD Integrated Zones

Configure the Discretionary Access Control List (DACL)

Allow Only Secure Dynamic Updates

Configure the Global Query Block List if you wish to specify resource records that will be blocked by the authoritative DNS server when it receives a DNS query.

Managing the Global Query Block List

Configure the Global Query Block List

When you configure the socket pool, the DNS server will pick a random source port from a pool of sockets that it opens when the service starts. This provides additional protection against cache poisoning attacks.

Configure the Socket Pool.

When you configure cache locking, the DNS server will not allow overwriting of cached resource records. This provides additional protection against cache poisoning attacks.

Configure Cache Locking.

If the server running the DNS Server service is a multihomed computer, restrict the DNS Server service to listen only on the interface IP address that is used by its DNS clients and internal servers. For example, a server acting as proxy server may have two network adapters, one for the intranet and one for the Internet. If that server is also running the DNS Server service, you can configure the service to listen for DNS traffic only on the IP address that the intranet network adapter uses.

Restrict DNS servers to listen only on selected interfaces

If you have a private, internal DNS namespace, configure the root hints on your internal DNS servers to point only to the DNS servers that host your internal root domain and not the DNS servers that host the Internet root domain.

Configure Internal Root Hints

Disable recursion on all DNS servers that do not require it. A DNS server requires recursion only if it is configured with a forwarder, or if it must resolve domain names for which it is not authoritative or are not cached.

Disable Recursion on the DNS Server

Ensure that default server options that secure the caches of all DNS servers against names pollution have not changed. Names pollution occurs when DNS query responses contain nonauthoritative or malicious data.

Secure the DNS Cache

Configure IPsec policy settings to protect zone transfers between primary and secondary DNS servers.

Secure Zone Transfers with IPsec

See Also


Planning Your Secure DNS Deployment
Deploying a Secure DNS Configuration
Deploying DNS Security Extensions (DNSSEC)