A Sysadmin’s DNS Best Practices

Systems administrator Apostolos Fotakelis shares nine tried-and-true tips for running a secure DNS environment.

Apostolos Fotakelis

March 26, 2008

1 Min Read
ITPro Today logo in a gray background | ITPro Today
  1. Create DNS zones in internal DNS servers to fight some obvious Web ads.

  2. Use OpenDNS (www.opendns.com) DNS servers as forwarders, to add an extra layer of security.

  3. Block the exact DNS protocols (UDP, TCP, or both) on the edge—the firewall—and on the server. Also, lock down the DNS server. I’ve found Windows Server 2003 SP1’s security configuration wizard very useful for these two tasks.

  4. Use Active Directory (AD)–integrated zones and secure dynamic updates.

  5. Restrict DNS replication only to the necessary DNS servers.

  6. Implement split DNS, if applicable.

  7. Use DNSstuff (www.dnsstuff.com) to get useful additional information—also helpful for troubleshooting.

  8. Get rid of NetBIOS over TCP and WINS. (Windows Server 2008 has a special DNS zone that eliminates the need for a WINS server.)

  9. Develop your own best practices list!

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like