Best Practices

Best Practices

• Use Active Directory integrated zones with secure dynamic updates.

  Active Directory integrated zones implement all DNS resource records as dnsNode objects in Active Directory. The dns Node objects are protected against modification by security principals not assigned permissions in the object s DACL. To host Active Directory integrated zones, the DNS service must be running on a Windows 2000 domain controller. DNS servers installed on Windows 2000 member servers or workgroup members cannot host Active Directory integrated zones.

• Implement DNS cache protection at the DNS servers.

  Enable the Secure Cache Against Pollution option in the properties of all DNS servers implemented on the network to prevent attackers from adding fraudulent DNS responses to the cache of a DNS server.

• Restrict membership in the DNSAdmins group.

  Members of the DNSAdmins group can modify any DNS resource record hosted at the DNS server and are assigned permission to modify the DNS server s configuration. You should also restrict the membership in all other groups with the necessary permissions to manage DNS. This includes the local Administrators, Enterprise Admins, and Enterprise Domain Controllers groups, as well as the Domain Admins group in the domain where the DNS server s computer account resides.

• Restrict zone transfers to only authorized DNS servers.

  Prevent unauthorized DNS servers or external clients from obtaining all content of the DNS zone by restricting DNS zone transfers either to servers listed on the Name Servers tab of the DNS zone or to IP addresses specified in the DNS zone s properties.

• Do not expose any Active Directory related DNS resource records to the Internet.

  Ensure that you implement separate zones for internal and external resources. The DNS server hosting the external zone must contain only DNS resource records for externally accessible resources. The IP addressing in this zone must reference the IP addresses exposed to the Internet. Active Directory related DNS resource records should not be included in this externally accessible DNS zone.