Domain Name System also known as DNS is a server system that use a hierarchal structure of named computers and network services. This allows the user friendly name to be mapped to a specific IP address. DNS service is a required fundamental service for Active Directory in the Enterprise environment.
With Windows Server 2008 beginning to be deployed, DNS plays a critical role in the Enterprise environment. This version of Microsoft’s server software now includes new security related enhancements. With security issues with DNS becoming more of an issue, these enhancements help make Windows Server 2008 more secure.
Recent articles on DNS Cache Poisoning describe how the insertion of malicious DNS records into the cache of a target nameserver can cause a hacker to spoof a response to the target server including an answer for the query. This ultimately causes the target nameserver to insert additional records into the cache.
Windows Server 2008 has additional features that help prevent this poisoning when properly configured and patched.
With Background Zone Loading, DNS servers can now use background loading to respond to client queries immediately after a full restart. Zones no longer have to be fully loaded before these aforesaid queries are answered. This in turn helps prevent denial-of-service attacks (also known as DoS attacks).
This server also includes support for read only domain controllers known as RODCs. These RODC’s often lie outside of a corporate center or office can be replicated on Windows Server 2008.
With all servers, hardening is critical. Hardening is taking all precautionary methods of making a server secure. An Administrator must be able to identify installed files, running services, patches and updates, firewall rules (ports and applications) and role dependencies for their server’s role in the enterprise. Each DNS server needs to also be checked for its role (external or internal) in the network. Separate servers need to be inside or outside of the firewall for optimal security. This is a critical strategic goal of server deployment and must be adhered to.
By deploying a server (core only mode) and analyzing the role of an administrator’s server, this mode limits the amount of files needed for deployment while limiting services that are loaded. This form of minimal deployment assists in the security of Windows Server 2008 DNS servers. Often Information Technology professionals install DNS servers and forget about the critical maintenance and hardening that is required during and after deployment. DNS plays a critical role in Enterprise functionality and security and cannot be ignored or forgotten about.