DNS security levels
Three levels of DNS security
The following three levels of DNS security will enable you to increase the DNS security of your organisation and help you understand your current DNS configuration.
Low-level security
Low-level security is a standard DNS deployment without any security precautions configured. Only deploy this level of DNS security in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity.
- Zone transfers to any servers are permitted by all DNS servers.
- On all DNS servers, cache pollution is prevention is disabled.
- For all DNS zones, dynamic update is allowed.
- The DNS infrastructure of your organisation is fully exposed to the Internet.
- All DNS servers in your network perform standard DNS resolution.
- User Datagram Protocol (UDP) and Transmission Control Protocol/Internet Protocol (TCP/IP) port 53 is open on the firewall for your network for both source and destination addresses.
- All DNS servers are configured to listen on all of their IP addresses.
- All DNS servers are configured with root hints pointing to the root servers for the Internet.
Medium-level security
Medium-level security uses the DNS security features available without running DNS servers on domain controllers and storing DNS zones in Active Directory.
- Proxy servers and gateways perform all Internet name resolution.
- For any of the DNS zones, non-secure dynamic update is not allowed.
- There is limited exposure to the Internet for the DNS infrastructure of your organisation.
- All DNS servers enable cache pollution prevention.
- With a limited list of source and destination addresses allowed, internal DNS servers communicate with external DNS servers through the firewall.
- DNS servers are configured to listen on specified IP addresses.
- Root hints pointing to the root servers for the internet are used to configure external DNS servers in front of your firewall.
- All DNS servers limit zone transfers to servers listed in the name server (NS) resource records in their zones.
- All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.
High-level security
High-level security uses the same configuration as medium-level security. It also uses the security features available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory.
In addition, high-level security completely eliminates DNS communication with the Internet. This is recommended whenever Internet connectivity is not required, however it is not a typical configuration.
- All DNS servers have cache pollution prevention enabled.
- Internal DNS server IP addresses can only be used by DNS servers that are configured with forwarders.
- All DNS servers limit zone transfers to specified IP addresses.
- There is no Internet communication by internal DNS servers for the DNS infrastructure of your organisation.
- All authority for DNS zones is internal as your network uses an internal DNS root and namespace.
- Internal DNS servers are configured with root hints pointing to the internal DNS servers hosting the root zone for your internal namespace.
- DNS servers are configured to listen on specified IP addresses.
- Domain controllers are what all DNS servers run on. A discretionary access control list (DACL) is configured on the DNS Server service to only allow specific individuals to perform administrative tasks on the DNS server.
- Active Directory is where all DNS zones are stored. A DACL is configured to only allow specific individuals to create, delete, or modify DNS zones.
- DACL’s are configured on DNS resource records to only allow specific individuals to create, delete, or modify DNS data.
- Secure dynamic update is configured for DNS zones, except the top-level and root zones, which do not allow dynamic updates at all.
If you have any questions about DNS then visit our DNS FAQ section for more help.
