Windows system >> Windows 2003 System Tutorial >> Windows 2003 FAQ

Ensure DNS security on Windows 2003 domains

  

Ensuring the security of the domain name system (DNS) on Windows Server 2003 domains is a very basic requirement. Active Directory (AD) uses DNS to locate the resources required by domain controllers and other domain services (such as files, printers, mail, etc.). Since DNS is an integral part of the Active Directory domain system, it should be secure from the start. When installing DNS on Windows Server 2003, do not modify the default settings of "Active Directory Integration DNS". Microsoft began offering this setting in 2000. This means that the system only stores DNS data on the DNS server, and does not save or copy information about the domain controller and the global directory server. This not only improves the speed of operation, but also improves the operational efficiency of the three servers. Encrypting the data transfer between the DNS server and the client (or other server) is also critical. DNS uses TCP/UDP port 53; by filtering this port at different points on your security perimeter, you can ensure that the DNS server only accepts authenticated connections. In addition, this is also a good time to deploy IPSec to encrypt the data transfer between the DNS client and the server. Turning on IPSec ensures that communication between all clients and servers is confirmed and encrypted. This means that your client only communicates with authenticated servers and helps prevent requests from being spoofed or compromised. After configuring the DNS server, continue to monitor the connection, just as you pay attention to other high-value targets in the enterprise. The DNS server requires the available bandwidth to serve the customer's request. If you see a large amount of network traffic on a source machine towards a DNS server, you may have suffered a denial-of-service (DoS) attack. Cut the connection directly from the source, or disconnect the server's network connection until you investigate the problem. Remember that a successful DoS attack on the DNS server will directly cause the Active Directory to crash. With the default settings (Dynamic Security Update), only authenticated clients can register and update portal information on the server. This can prevent an attacker from modifying your DNS portal information, thereby misleading customers into carefully crafted websites to steal important information such as financial information. You can also use quotas to block client flood attacks on DNS. Clients can usually only register 10 records. By limiting the number of targets a single customer can register, you can prevent a client from doing DoS attacks on its own DNS server. Note: Make sure you use different quotas for DHCP servers, domain controllers, and multi-homed servers. These servers may need to register hundreds of targets or users depending on the features they provide. The DNS server will respond to any query request within an authorized zone. To hide your internal network architecture from the outside world, you usually need to set a separate namespace, which generally means that one DNS server is responsible for your internal DNS architecture, and the other DNS server is responsible for the external and Internet DNS architecture. By preventing external users from accessing internal DNS servers, you can prevent the disclosure of internal non-open resources. Finally, whether you are running a Windows network or a mixture of UNIX and Windows, DNS security should be at the heart of your network. Take steps to protect the DNS from external and internal attacks.

Windows 2003 FAQ
Windows system
Notepad++ 6.0 officially released: improving large file loading performance

Notepad++ 6.0 is officially released for download. Notepad++ is a free, open source, green multi-lan
3 security solutions for Win2000 remote control

I. INTRODUCTION We envision a remote control solution: a company wants to place such an IIS Web ser
Win2008, Vista driver compatibility problem resolution

Every time Microsoft upgrades the Windows operating system, it will bring new compatibility issues.

Win2008 Virtualization 64-bit virtual machine system installation

For how to create a Windows Server 2008 virtual machine, you can refer to the previous article (clic
Windows2008 restartable AD configuration guide

Todays article introduces you to a new feature about Active Directory: Restartable Active Directory,
The disk partition of the system comes with Win2008 lossless partition

Many friends find that the previously partitioned disk partition is not reasonable after using the c
  • Windows2003 system skills
  • Windows 2003 Tutorial
  • Windows 2003 FAQ

    • Delete the search box of IE8/IE7 browser under Windows7. It is easy to get

    Quickly find the "Startup" folder in the Win8 system

    How to do Win7 notebook slow response?

    Using the iPad to connect to the iTunes store solution

    Security talk: not a versatile firewall has loopholes

    How to solve the problem that Windata system Programdata can't find?

    How to solve the problem that WinXP system Internet information service can't find?

    Win8.1 blue screen restart prompt error Memory Management how to do?

    Network installation linux

    Winlogon process 100% cpu solution

  • Windows XP System Tutorial
  • Windows 7 System Tutorial
  • Windows 8 System Tutorial
  • Windows 10 System Tutorial
  • Windows 2003 System Tutorial
  • Windows 2008 System Tutorial
  • Windows Vista System Tutorial
  • Windows tutorial synthesis
  • Windows Server System Tutorial
  • Linux system Tutorial
  • Computer software Tutorial
  • Windows NT Tutorial
    • Copyright © Windows knowledge All Rights Reserved