Win2003 system to protect DNS security small strategy

The so-called DNS, that is, domain name system, domain name resolution system, it is the identity on the Internet, enriching the Internet applications and protocols, so to ensure that the DNS security on the win2003 domain name is a Very important requirement, because DNS is an indispensable part of the AD domain system, it is necessary to ensure the security of the DNS from the source.

When installing DNS on Windows Server 2003, do not modify the default settings of "Active Directory Integration DNS". Microsoft began offering this setting in 2000.

This means that the system only saves DNS data on the DNS server, and does not save or copy information about the domain controller and the global directory server. This not only improves the speed of operation, but also improves the operational efficiency of the three servers.

Encrypting the data transfer between the DNS server and the client (or other server) is also critical. DNS uses TCP/UDP port 53; by filtering this port at different points on your security perimeter, you can ensure that the DNS server only accepts authenticated connections.

In addition, this is also a good time to deploy IPSec to encrypt the data transmission between the DNS client and the server. Turning on IPSec ensures that communication between all clients and servers is confirmed and encrypted. This means that your client only communicates with authenticated servers and helps prevent requests from being spoofed or compromised.

After configuring the DNS server, continue to monitor the connection, just as you pay attention to other high-value targets in the enterprise. The DNS server requires the available bandwidth to serve the customer's request.

If you see a large number of network traffic on a source machine towards a DNS server, you may have suffered a "denial-of-service" (DoS). Cut the connection directly from the source, or disconnect the server's network connection until you investigate the problem. Remember that a successful DoS attack on the DNS server will directly cause the Active Directory to crash.

With the default settings (Dynamic Security Update), only authenticated clients can register and update portal information on the server. This can prevent an attacker from modifying your DNS portal information, thereby misleading customers into carefully crafted websites to steal important information such as financial information.

You can also use quotas to block client flood attacks on DNS. Clients can usually only register 10 records. By limiting the number of targets a single customer can register, you can prevent a client from doing DoS attacks on its own DNS server.

Note: Make sure you use different quotas for DHCP servers, domain controllers, and multi-homed servers. These servers may need to register hundreds of targets or users depending on the features they provide.

The DNS server will respond to any query request within an authorized zone. To hide your internal network architecture from the outside world, you usually need to set a separate namespace, which generally means that one DNS server is responsible for your internal DNS architecture, and the other DNS server is responsible for the external and Internet DNS architecture. By preventing external users from accessing internal DNS servers, you can prevent the disclosure of internal non-open resources.

The importance of DNS is an important part of network administrators. Whether it is running windows network or a mixture of UNIX and Windows, DNS security issues should become a core requirement and take corresponding measures to ensure DNS. Not subject to simultaneous attacks from outside and inside.