Whether it’s configurations within Microsoft DNS service that can be used to make a server more secure, or additional operating system and network environment configurations, there are small measures you can take to help offer greater security for your clients.
Here’s a look at some easy DNS-related tips to tighten your client’s security.
Environmental configuration for DNS
DNS servers that manage Active Directory-integrated domains have similar security requirements to domain controllers. Options for securing these are as follows:
- Place the DNS server behind a firewall. Do not run a DNS server with Active Directory services on the Internet. m
- If you require communication between your network and the Internet (or external WANs), place a DNS server (not managing Active Directory-integrated domains) that will communicate with your network and the Internet outside your firewall.
Some of you will choose to use your Internet service provider’s DNS servers for this purpose. Place a second DNS server—which can manage Active Directory-integrated domains—inside your firewall. This second DNS server will forward requests to the DNS server outside the firewall for DNS requests. - Configure Active Directory-integrated domains to use private domain names (for example, techrepublic.local or techrepublic.pbs) or any first-level domain (for example,.local, .trm, .pgf) that isn’t recognised by the public Internet. If you choose this option, you won’t be able to forward DNS requests to DNS servers on the Internet. You can get around this by using a proxy server for clients to send DNS requests over the Internet.
Caution: Consider this carefully. If this is your first domain in the first Active Directory forest, you cannot rename without re-creating your Active Directory structure. - Use private IP addresses (for example, 10.0.x.x or 192.168.x.x) instead of public IP addresses that are recognised over the Internet. Note: This won’t necessarily help you if you allow traffic to come through your firewall. If an individual gets access to a system on the network from the outside, that person may still be able to locate the DNS servers on the network.
Minimising DOS attacks
Several registry settings can be used to minimise the likelihood of denial of service (DoS) attacks on a DNS server (or any server, actually). I recommend that, before you attempt to make any changes to the registry on a production system, you test these settings on a non-production server and back up the registry from the production server.
All registry key settings will be configured under this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Table A outlines the settings you can use.
Table A
|
Accessing the registry
To access the registry, complete the following steps:
- Access the Start menu and choose Run.
- Type REGEDIT.
- Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
- Create a new value setting (see Table A) by selecting Edit Menu | New | DWORD.
- Type the name of the value in the selected item in the right panel.
- Double-click the name of the value.
- Type the value.
- Click the OK button.
- Repeat steps 4 through 8 for each value name you want to set.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
2%
4%
