Hi,
I purchased static IP address and cablemodem service and need to install an external DNS server and an SMTP relay service for an internal email server. I would like to use Windows 2003 server and turn on the firewall/ICS that comes with sp2. I looked up information on Technet for securing 2003 and DNS and didn't find any really good documents. What I did find was general information on Windows firewall/ICS and the general best practices for DNS I have listed below. Does anyone have any recommendations they can provide? Thanks.
1) Protect the DNS infrastructure of your organization by utilizing an internal root and name space.
2) Only the external DNS server is configured with Internet root hints.
3) All internal DNS servers are configured only with the root hints pointing to the internal DNS servers hosting the root zone for your internal name space.
4) All DNS servers run on domain controllers with all DNS zones stored in Active Directory. Active Directory DACLs are utilized to secure administration of DNS. All DNS servers are configured with NTFS as the file system.
5) External DNS resolution is only performed by your external DNS server. The internal DNS servers point to the external DNS server.
6) Internal DNS servers are configured to only permit zone transfers to specific internal DNS servers.
7) The default setting of cache pollution prevention is enabled.
UDP/TCP port 53 is only open between one of your internal DNS servers and only your external DNS server through a firewall in your DMZ.
9) Only secure dynamic DNS updates are allowed for all zones except for the top-level and root zones, which do not allow dynamic updates at all.
10) All Internet name resolution is performed using proxy servers and gateways.
11) Utilize Windows Firewall and create exceptions only for DNS ports TCP and UDP port 53.
06-Oct-2007, 02:21 PM
Linear Mode
Similar Threads