Chapter 15
Implementing Security for DNS Servers
A Domain Name System (DNS) server provides resolution of DNS names to Internet Protocol (IP) addresses and resolution of IP address to DNS names. The Active Directory directory service is dependent on DNS and uses DNS as its default name resolution service. The Microsoft Windows 2000 DNS service provides new features to ease administration and configuration of DNS. The new features introduced since the DNS service of Microsoft Windows NT 4.0 include the following:
A Windows 2000 DNS server can accept dynamic updates from DNS clients that support the dynamic update protocols described in RFC 2136, Dynamic Updates in the Domain Name System (DNS UPDATE).
To protect the DNS server against unauthorized updates, Windows 2000 can enforce DNS client authentication for updates. DNS clients must authenticate with the Windows 2000 DNS server by using the Generic Security Service Application Program Interface (GSS-API), as described in the RFC draft GSS Algorithm for TSIG (GSS-TSIG).
The security of DNS zone data is ensured by storing each DNS resource record as an individual Active Directory object. Each DNS resource record has its own discretionary access control list (DACL) that determines which security principals can modify the resource records.
Windows 2000 advertises its Active Directory services in DNS by using SRV resource records. SRV resource records identify the host name of the servers that host Active Directory services so that a DNS client can connect to the required Active Directory service. This is the format of the SRV resource record:
_ldap._tcp.example.com. 600 SRV 0 100 389 dc1.example.com
The following components are defined in an SRV resource record:
_ldap._tcp.example.com Refers to the advertised service (_ldap), the transport protocol (_tcp), and the domain (example.com). In this case, the Lightweight Directory Access Protocol (LDAP) service resolves LDAP queries for the example.com domain.
600 Refers to the Time to Live (TTL), which is the amount of time, in seconds, that the SRV resource record will be cached at a DNS server or DNS client in the resolver cache.
SRV Indicates that the resource record is a service resource record that specifies the location of a network service.
0 100 Refers to the priority and weight, which allow you to configure preferences for one SRV resource record over another SRV resource record for the same service.
389 References the port upon which the service is listening. In this case, the LDAP service listens on Transmission Control Protocol (TCP) port 389.
dc1.example.com The network host where the LDAP service resides.