10.8 Securing Your Name Server
Compared to a modern BIND name server, the Microsoft DNS Server is short on security features, but you do have some options. In this section, we discuss how to prevent unauthorized zone transfers from your servers and how to "lock down" a name server directly connected to the Internet.
10.8.1 Preventing Unauthorized Zone Transfers
It's important to ensure that only your real slave name servers can transfer zones from your primary master name server. Users on remote hosts that can query your name server's zone data can look up data (for example, addresses) only for hosts whose domain names they already know, one at a time. Users who can start zone transfers from your server can list all the hosts in your zones. It's the difference between letting random folks call your company's switchboard and ask for John Q. Cubicle's phone number and sending them a copy of your corporate phone directory.
You control which name servers can perform a zone transfer with settings on the Zone Transfers tab of the zone properties window (see Figure 10-3 earlier in this chapter). You can allow any host to perform zone transfers, or only those name servers listed in the zone's NS records, or only a specific set of name servers you list by IP address.
For a primary master name server accessible from the Internet, you definitely want to limit zone transfers to just your slave name servers. You probably don't need to restrict zone transfers on name servers inside your firewall, unless you're worried about your own employees listing your zone data.
10.8.2 Delegated Name Server Configuration
Some of your name servers answer nonrecursive queries from other name servers on the Internet because your name servers appear in NS records delegating your zones to them. We'll call these name servers delegated name servers.
You can take special measures to secure your delegated name servers. But first, you should make sure these servers don't receive any recursive queries (i.e., that you don't have any resolvers configured to use these servers and that no name servers use them as forwarders). Some of the precautions we'll takesuch as disabling recursive queriespreclude your resolvers from using these servers.
Once you know your name server answers queries only from other name servers, you can turn off recursion. This eliminates a major vector of attack: the most common spoofing attacks involve inducing the target name server to query name servers under the hacker's control by sending the target a recursive query for a domain name in a zone served by the hacker's servers. Disabling recursion is described in Section 10.7 earlier in this chapter. You should also restrict zone transfers of your zones to known slave servers, as described in the previous section.
10.8.3 Load Sharing Between Mirrored Servers
The Microsoft DNS Server has a feature called round robin (named after the equivalent feature in the BIND name server): the server rotates address records for the same domain name between responses. For example, if the domain name foo.bar.baz has three address records for IP addresses 18.104.22.168, 22.214.171.124, and 126.96.36.199, the round-robin feature causes the name server to give them out first in the order:
188.8.131.52 184.108.40.206 220.127.116.11
then in the order:
18.104.22.168 22.214.171.124 126.96.36.199
and then in the order:
188.8.131.52 184.108.40.206 220.127.116.11
before starting over again with the first order and repeating the rotation ad infinitum.
This functionality is enormously useful if you have a number of equivalent network resources, such as mirrored FTP servers, web servers, or terminal servers, and you'd like to spread the load among them. You establish one domain name that refers to the group of resources and configure clients to access that domain name, and the name server inverse-multiplexes the accesses between the IP addresses you list.
It's a good idea to reduce the records' TTLs, too. This ensures that, if the addresses are cached on an intermediate name server that doesn't support round robin, they'll time out of the cache quickly. If the intermediate name server looks up the name again, your authoritative name server can round-robin the addresses again.
Note that this is really load sharing, not load balancing: the name server gives out the addresses in a completely deterministic way, without regard to the actual load or capacity of the servers servicing the requests . In our example, the server at address 18.104.22.168 could be a 486DX33 running Linux and the other two servers could be HP9000 K420s, and the Linux box would still get a third of the queries.
Note that round robin is disabled by default in favor of name server address sorting. See the end of Section 10.4 for instructions on how to disable name server address sorting and enable round robin.