Configuring Advertisers
DNS advertisers let anyone resolve addresses for your publicly available hosts, such as your Web, FTP, and mail servers. These servers have the highest exposure to attack, so it's important that you carefully select the information that you make available on these servers. Advertisers should contain information about only publicly accessible hosts and should never contain private IP addresses. You should also configure your advertisers so that they share zone information only with your other DNS advertisers.
Many organizations use their ISP to host public DNS records, in which case you don't have much control over DNS configuration. However, if you host your own public DNS servers, you can use DNSCmd, one of the support tools in Support.cab, which you'll find in the \support\tools directory on the Windows Server 2003 CD-ROM. First, you'll configure the advertiser to listen only on a single IP address. For example, suppose your public DNS server has a public IP address of 192.0.34.166. You would use the command
dnscmd resetlistenaddresses 192.0.34.166
Next, you'll want to disable recursion so that the DNS server responds to requests only in its own zones. To do so, use the command
dnscmd /Config /NoRecursion 1
The next step is to make the DNS server a root server by adding the root zone. If a server thinks it's a root server, it assumes it already knows everything it needs and therefore will never attempt to contact other DNS servers. You would use the command
dnscmd /ZoneAdd . /Primary
Because this server is a public-facing DNS server, I recommend setting a few other restrictions to help prevent exposure to future attacks. First, use the following command to stop the DNS server from using the RPC protocol:
dnscmd /Config /RPCProtocol 0
Second, if all your zone names strictly consist of ANSI characters (i.e., they contain no special or foreign characters), you can configure the name server to handle only proper RFCcompliant names. To do so, use the command
dnscmd /Config /NameCheckFlag 0
Third, to prevent possible abuse of your DNS server, you can set a limit on how many host records it can return for each query. The following command sets a minimum of five records:
dnscmd /Config /AddressAnswerLimit 5
Configuring Internal Domain Masters
Your internal domain masters are the DNS servers that handle all name resolution for your local AD domains. If you haven't done so already, you should configure these servers as AD-integrated zones to take advantage of the more granular security control and improved replication features that setup provides. These servers are authoritative for their own zones but shouldn't attempt to perform lookups for foreign zones.
To configure your domain masters, you first need to disable recursion, as you did for your advertisers. You should also make internal domain masters root servers so that they never attempt to contact other DNS servers:
dns /zoneadd . /Primary
Configuring Resolvers
Now you can configure your resolvers. These servers should be centrally located so that clients on the internal network can reach them but so that they can also connect to external DNS servers. Your first task is to ensure that the resolver listens only on internal IP addresses. If one of your resolvers listens on the IP address 192.168.0.54, you would use the command
dnscmd resetlistenaddresses
192.168.0.54
Note that this IP address and the one you set for any additional resolvers will be the IP addresses that you configure on each client system as the DNS server in TCP/IP Properties.
Your second task is to have each resolver conditionally forward internal domain lookups to your internal domain masters. If your domain is example.corp and your domain masters are located at 192.168.0.11 and 192.168.0.12, you would use the command
dnscmd /zoneadd example.corp /forwarder
192.168.0.11 192.168.0.12 /slave
The /slave parameter tells this resolver to not attempt to find the address itself if the DNS servers don't respond. Because these are the DNS servers for your local domain, there's no point in trying to locate the IP address anywhere else.
Register
