It is a very basic requirement to ensure the security of the domain name resolution system on the Windows Server 2003 domain (domain Name System, for short, DNS). Active Directory (Active Directory, referred to as AD) uses DNS to locate resources (such as files, printers, messages, and so on) that are required for domain controllers and other domain Services. Since DNS is an integral part of the Active Directory domain system, it should be secured from the outset.
Do not modify the default settings for Active Directory integrated DNS When you install DNS on Windows Server 2003. Microsoft started offering this setting in 2000.
This means that the system only holds DNS data on the DNS server and does not save or replicate information about the domain controllers and global catalog servers. This will not only improve the speed of operation, but also improve the operational efficiency of three kinds of servers.
Encrypting data transfer between a DNS server and a client (or other server) is also critical. DNS uses TCP/UDP port 53, and you can ensure that the DNS server only accepts authenticated connections by filtering the port at different points on your security line.
In addition, this is a good time to deploy IPSec to encrypt data transfers between DNS clients and servers. Turn on IPSec to ensure that communication between all clients and servers is confirmed and encrypted. This means that your client communicates only with authenticated servers and helps prevent requests for deception or damage.
After you configure the DNS server, continue to monitor the connection as you would any other high-value target in your enterprise. The DNS server requires the available bandwidth to serve the customer's request.
If you see a large amount of network traffic being sent toward a DNS server on a source machine, you may have suffered a denial-of-service attack (Denial-of-service, Dos). Disconnect the connection directly from the source, or disconnect the server's network connection until you have investigated the problem. Remember that a successful DOS attack on a DNS server can directly cause the Active Directory to be paralyzed.
With the default settings (Dynamic security update), only authenticated clients can register and update the portal information on the server. This can prevent an attacker from modifying your DNS entry information, thereby misleading customers to valuable information such as the theft of financial information on a carefully crafted Web site.
You can also use quotas to prevent a client from flooding a DNS attack. Clients typically register only 10 records. By limiting the number of targets a single customer can register, you can prevent a client from having a Dos attack on its own DNS server.
Note: Make sure you use different quotas for DHCP servers, domain controllers, and multihomed servers (multi-homed). Depending on the functionality they provide, these servers may need to register hundreds of targets or users.
The DNS server responds to any query requests within an authoritative zone. To hide your internal network architecture from the outside world, you typically need to set a separate name space, which generally means that one DNS server is responsible for your internal DNS schema, and the other DNS server is responsible for external and Internet DNS architectures. By preventing external users from accessing internal DNS servers, you can prevent the disclosure of internal non-public resources.
At last
Whether you're running a Windows network, or a hybrid of UNIX and Windows, DNS security should be at the heart of your network. Take steps to protect DNS from external and internal attacks.