Securing DNS in Windows Networks

Securing DNS in Windows Networks

DNS can be set up quickly in Windows server environments with Active Directory, but security aspects should also play an important role. The name resolution is a central part of networks, which must also be secured accordingly. In this video tip, we show you what to look out for.

DNS is quick to get up and running, especially in environments with Windows servers. After setup, however, security settings should still be made at the level of DNS servers, zones, and also in user permissions.

Securing DNS zones

To secure DNS servers based on Windows servers after setup, some basic steps should be taken first. First of all, in the properties of DNS zones, on the General tab, the option “Secure only” should be set for “Dynamic updates”. This ensures that only authenticated hosts have the right to create dynamic entries. If you want to be absolutely sure, disable dynamic updates and create all entries yourself.

On the same tab, there is the option “Replication.” Here you can set which DNS servers are allowed to receive the DNS zone data. This option should also be set to meet the security requirements in the company.

If a DNS server is also a domain controller, this tab can also be used to control whether the DNS data should be integrated into Active Directory and replicated to other DNS servers and domain controllers via Active Directory replication.

The “Name servers” tab should be used to check whether the correct servers have been entered. Obsolete or unwanted servers should not appear here. The “Security” tab and the “DNSAdmins” user group should also be checked.


The settings on DHCP servers specify that clients that have an IP address from an internal DHCP server are entered in the DNS zone. The settings can be adjusted in the DHCP section. Incidentally, it is also possible to specify here with which user account the DHCP server accesses the DNS server in order to make the entries.

READ:  What is BSI Standard 200-1?

Using Best Practices Analyzer for DNS

When the DNS infrastructure is in use, after setup and also during regular operation, the Server Manager’s Best Practices Analyzer should be used on Windows servers to check the settings and security. To do this, the Server Manager is called up first. Already when calling up, at least the DNS tile should be outlined in green, so that it is clear that there are no errors here.

Clicking on “DNS” in the Server Manager displays the DNS servers to which the Server Manager is connected. In the lower area, you can also see the “Best Practices Analyzer” box. Via “Tasks / Start BPA check”, the individual DNS servers are checked and messages are displayed. If not all DNS servers are listed at this point, they can be integrated in the Server Manager via “Manage / Add Server”.

The check takes a while. After the check, messages appear in some cases. Here the BPA shows problems, their consequence and gives tips to solve problems. The messages should not be ignored. All messages should be worked through, and then the problem should be solved. The messages can also be copied via the context menu, for example for the clipboard.


In a secure environment, the DNS zones should also be digitally signed. This protects the entries in the zones. The advantage is that clients in the network can validate a DNS server’s response to a query. This protects against spoofing and against manipulation of the name resolution cache. Setup is not a major issue in Windows Server 2016/2019 and Windows Server 2022.

READ:  What is DANE (DNS-based Authentication of Named Entities)?

Digital signing can be done via DNS management (dnsmgmt.msc). To do this, the corresponding zone is right-clicked, and the option “Sign DNSSEC/Zone” is selected. If the zone is already signed, the settings can be adjusted here, or the signature can be removed again. Invoking this command starts a wizard for setting up DNSSEC.

The setup can be performed even by administrators who do not have extensive knowledge of DNS signing options. For this purpose, the wizard offers the option “Use default settings for zone signing”. This option is a good choice. Later on, settings can still be adjusted. Afterwards, only 1-2 windows need to be confirmed. After that, the zone is displayed as digitally signed. Signed zones get a different icon, so that in the DNS management it can be recognized which zones have been digitally signed.

Via the context menu and the selection of DNSSEC, the signing settings can of course be adjusted later. This allows administrators to secure their DNS zones quite quickly and then optimize this protection or adapt it to the requirements of the security department. For example, the key for the actual signature can also be defined here. Once the necessary keys have been created, i.e. the key signing key (KSK) and the zone signing key (ZSK), they can be adjusted in the properties on the corresponding tab (“KSK” and “ZSK”).

Changes after signing DNS zones

When a zone has been signed, it gets a small lock as an icon. In addition, settings can be subsequently adjusted via the context menu at “DNSSEC” in the administration of the signing. In addition, new entries are added to the zone. Here you can see the default entries, as well as the RR signature for the individual entries.

READ:  What is L2TP (Layer 2 Tunneling Protocol)?

In order for the clients in the network to use the signature, a group policy setting must be adjusted. Ideally, a separate group policy should be created for the setup.

The settings for this are at “Computer configuration / Policies / Windows settings / Name resolution policy”. The DNS suffix is entered under “Suffix”. This corresponds to the name of the signed zone. Then the options “Enable DNSSEC in this rule” and “Require DNS clients to verify name and address data from DNS server” are activated. Finally, “Create” and “Apply” are clicked.

Use read-only domain controllers

In Active Directory, read-only domain controllers (RODC) can be used for insecure domain controller locations. These domain controllers do not accept changes, but only receive changes from read-only domain controllers. RODCs also support signed DNS zones. To do this, the server creates a secondary zone and copies the signed data. This means that DNS signing can be used even in branch offices where the domain controllers cannot be secured.

Configuring secondary zones

Secondary DNS zones can also be secured. It is important in this area to enable the Allow zone transfers option on the Zone transfers tab of a primary server and then specify the servers that will receive the DNS zone as a secondary zone.

Setting advanced settings for DNS servers

The Advanced tab is available in the DNS server properties. Here you can control server options that also improve security. The “Disable recursion (and forwarding)” option ensures that the server does not forward any queries to other DNS servers.

Secure cache from corruption” prevents DNS server cache from being tampered with. This is often achieved via query results from redirects.