
	Home > Windows Tips > > Protecting DNS servers in Active Directory

Win IT Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

Protecting DNS servers in Active Directory

James Michael Stewart
07.12.2004
Rating: -3.07- (out of 5)

Digg This!

StumbleUpon

Del.icio.us

We've already established in my previous tip that if your DNS infrastructure is damaged or attacked, your entire AD infrastructure will probably fail along with it. Protecting your DNS servers will require a multi-pronged approach. First and foremost, establish the same secure design, implementation and deployment procedures for your DNS servers as I've recommended for your AD DCs.

Next, consider implementing secured communications with DNS servers, monitor all network traffic, and re-evaluate the open ports on your firewall.

By encrypting all communications between DNS servers and all DNS clients (which includes not just end user clients but also AD DCs and member servers), it will minimize or eliminate the possibility of traffic interception and manipulation. One of the best ways to implement this is through IPSec. One of the primary benefits to IPSec in addition to encrypted data transmission is mutual authentication of both communication partners (i.e. the DNS server and the DN...

Digg This!

StumbleUpon

Del.icio.us

RELATED RESOURCES

	2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
	Search Bitpipe.com for the latest white papers and business webcasts
	Whatis.com, the online computer dictionary

S client) through a PKI certificate based identity structure before DNS traffic is actually allowed. To implement such a plan, all DNS servers will need to have an IPSec policy of Secured Server (Require Security) or similar enforced. This will also require that all DNS clients have a Client (Request Security) IPSec policy or similar enabled on them. In this way, all DNS communications will be protected by IPSec but non-DNS communications (or at least communications with servers not hosting DNS servers) will not necessarily be protected by IPSec.

The implementation of IPSec across all systems will cause a measurable decrease in the performance of network communications due to the overhead of encrypting and decrypting communications. However, the increased security should more than compensate for the slight reduction in throughput.

In the next tip, I'll discuss the other two options for improving DNS security on an Active Directory network.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Rate this Tip

To rate tips, you must be a member of SearchWinIT.com.
Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Windows Technology Updates, Reviews and Solutions

Laptop Discounts with free coupon codes, huge savings at Notebook Review

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 1999 - 2009, TechTarget \| Read our Privacy Policy