Print Page      Email Page
Back to Article List

It's Easy to Secure Windows 2000 Servers: Part 5
By Laura Taylor
July 13, 2005

In the earlier installments of this series, you learned how to use Microsoft's Management Console (MMC) to automatically configure and enforce security policies by creating security templates and how to install them on multiple servers. In this part, I'm going to teach you what settings to configure in order to secure a Windows 2000 DNS server.

Getting Started on DNS Security

DNS stands for Domain Name Service. It is a distributed Internet directory service that allows your network to translate the names of domains with IP addresses. Without DNS, your browser would not be able to find Web sites and you would not be able to send or receive e-mail. An alternative to using DNS is a DHCP (which stands for Dynamic Host Configuration Protocol).

If you use DNS, you don't need to use DHCP and vice versa. It's best not to run more services than necessary on your DNS server. The more services your run, the more you expose your server to possible vulnerabilities. Therefore, the security settings that I am going to recommend are going to be only for the minimal amount of services required to run and secure DNS. These recommendations are for a DNS server, and therefore the settings will explicitly disable DNS and DHCP client services.

Before you apply the DNS specific security settings, you should apply the general security settings that you applied on your basic Windows 2000 server; these are the settings that you learned how to apply in Parts 1, 2, and 3 of this series.

While the goal is to secure DNS, you want to harden the Windows 2000 operating system in a general way as well — just as you would do for any Windows 2000 server. You should perform the general operating system hardening configurations first. For example, you'll need to add members to the administrators group to according to what administrators are allowed to configure the DNS server. After you apply the general Windows 2000 operating system hardening settings that you have already learned, it is time to apply the DNS specific security settings.

Applying DNS Configuration Settings

As with all security templates, you're going to want to start by using the Microsoft Management Console (MMC) to launch the creation of a security template. Load the Security Template snap-in Console as you learned in Part 1.

Once you have the snap-in loaded, select the secure basic server (basicsv.inf) template that you have already configured. You are then going to save it into a new file called SECUREDNS.inf as illustrated below. By using your original basic server template and then modifying it, you will have all the original Windows 2000 security settings to start with.

Loading the SECUREDNS security template.

Once you have saved your SECUREDNS.inf file, you can expand it to see the subcategories as illustrated below.

Expanding the Subcategories in your SECUREDNS Template

The three sub-categories that you will need to configure in order to secure DNS are System Services, Registry, and Filesystem. Select the Services configuration category as illustrated below. The Services should be secured for both the Administrators group and for the SYSTEM. Follow the methodology we covered in Part 3 to access System Service configuration settings for Administrators and SYSTEM.

Configuring security for DNS services.

The Service security settings that you will want to configure are listed in the following table:

Service Name Setting Permissions
DHCP Client Disabled Full Control
DNS Client Disabled Full Control
DNS Server Automatic Full Control

Next it's time to configure Registry security. You need to secure the Registry in order to prevent unauthorized users from changing the location of the DNS zone files. To secure the DNS registry, select the Registry configuration category as illustrated below.

Configuring the security for the DNS Registry.

Similar to how you configured the Services settings, you'll want to make sure that these settings are applied to the user groups known as Administrators and SYSTEM. There is only one setting that you need to secure the DNS registry and that is listed in the following table:

Registry Setting Permissions
MACHINE\SYSTEM\CurrentControlSet\Services\DNS Replace Full Control

Lastly, you need to secure the filesystem that contains the DNS files. To do this, select the Filesystem category as illustrated below.

Apply the security settings listed in the following table to the Administrators group:

Object Name Setting Permissions
%SystemDirectory%\ipconfig.exe Replace Administrators: Full Control
SYSTEM: Full Control
%SystemDirecory% \dns Replace Administrators: Full Control (for subfolders and files only)
SYSTEM: Full Control

Your DNS server security settings are now configured. You now need to reboot the server.

Post Configuration Tasks and Best Practices

After the DNS server comes back up, you need to force any cached records that are expired to be removed from the cache. To remove expired records, you need to enable the Scavenging of Stale Resource Records from the Start menu as follows:

Click Start --> Administrative Tools --> DNS

Right click the DNS server name and select Set Aging/Scavenging for All Zones.

To reduce the risk of information leakage, it is recommended that internal addresses (those that provide name resolution for local machines) and external addresses (those that provide name resolution for external systems) be separated. Since a Zone Transfer copies all of the DNS records for a particular zone from one DNS server to another, it is recommended that the forward lookup zones not be transferred outside the Windows 2000 domain.

To ensure that look-up zones are not transferred outside the domain, from the Start menu:

Click Start --> Administrative Tools --> DNS

Right click the appropriate zone and select Properties. On the Zone Transfers tab, you will be prompted select from the following choices:

Allow Zone Transfers

  • To any server
  • Only to servers listed on the Name Servers tab
  • Only to the following servers

Uncheck the box that says Allow Zone Transfers. If you uncheck this box, your DNS server will still be able to receive DNS transfers from other DNS servers and client systems will still be able to understand and receive DNS queries from your DNS server. If you don't want to be quite as restrictive, and you only have one domain, you should check the box to Allow Zone Transfers and then select the radio button to allow zone transfers to the servers listed in the Name Servers tab. By doing this, zone transfers will be enabled only within your domain.

Never select the first radio button to Allow Zone Transfers to any server.

Testing Your DNS Security Settings

To ensure that domain names are properly being resolved to IP addresses, you should perform some testing. You should perform the test from a client system on your network. Login as an administrator on the client system.

Click Start --> Run --> cmd.exe --> OK to open a command shell window.

Ping another system on your network to ensure that the domain name is resolved to an IP address. Run the following command in the command shell window:

ping.exe <HOSTNAME>

where the hostname is some other system on your network. As long as the hostname is resolved to an IP address, the test is successful. Next you'll want to ping an IP address to ensure that reverse DNS is working properly. Run the following command in the command shell window:

ping.exe -a <IP Address>

where the IP Address is the address of some system on your network. If the IP address is resolved to a hostname, the test is successful.

You can use nslookup for futher name resolution testing. In the command shell window, type:


Once you are inside nslookup, you will see a command sub-prompt and you should put in the information as noted below:

> set querytype=any
> ls -d <DOMAIN NAME>
[Produces an error if zone transfers are not allowed.]
> server <DOMAIN NAME OF DNS SERVER> [Should return IP address.]

If you have trouble resolving any IP addresses after you perform the tests, something went awry and you should go back and do some trouble-shooting.

DNS Wrap-Up

Essentially, your DNS server controls what traffic is able to come and go from your entire network. This makes it one of the most important servers on your network. If your DNS server is insecure, unauthorized users may try to access it and change the DNS settings, potentially redirecting your network traffic to someplace else. Keeping your DNS server secure is paramount to keeping your network running smoothly. Before you apply security to a production server, you should always test the new settings in a lab environment. You definitely don't want to experiment on your DNS production server.

If your DNS resource records exist on only one server, in the event that this server fails, your network will not be able to resolve any name services. Similarly, if the traffic on your network becomes substantial, your DNS server could become overloaded to the point where your network slows to a crawl. Therefore, you should always have at least two DNS servers. Large organizations usually have even more than that. Always apply the same security settings to your secondary DNS servers that you apply to your primary DNS server.

DHTML Menu By Milonic JavaScript