Tip

Why protect DNS?

Active Directory depends upon DNS. If DNS fails, so does Active Directory. This, in turn, means that if DNS fails, your entire network may be disabled. Many of the functions and features of AD use DNS to locate domain controllers, systems, services, clients, and other objects. It should be obvious that protecting DNS is almost as important as protecting AD itself.

But some of you may not be fully convinced that the cost in dollars, time, and effort to protect DNS are as warranted as that to protect AD. So, consider the following...

Active Directory and DNS work in a distributed environment. Multiple servers host these services and their ability to interact with each other and the rest of the network allows them to provide the essential services of the network (i.e. directory services and name resolution). This eliminates single points of failure, provides for efficient operation through shared resources, and can be designed to mimic the organizational hierarchy of the company.

However, distributed environments offer attackers or even mis-guided users numerous methods of interfering with normal operations:

  • Communications between DNS servers may be corrupted
  • Communications between DNS servers may be blocked
  • DNS databases may become corrupted
  • DNS databases may be intentionally poisoned with false data
  • DNS servers may be disabled or shut down
  • DNS servers may be the target of a DoS attack
  • Physical connections to DNS servers

    Requires Free Membership to View

  • may be damaged

If any of these types of attacks or unwanted occurrences are imposed on a network, this may cause clients and DCs to communicate with unauthorized DNS servers or DCs or simply prevent clients and DCs from being able to locate and communicate with each other.

Providing protection for DNS as a means to provide additional protection for AD DCs is an essential part of establishing a truly secure networking environment. In later tips I'll discuss some of the techniques you can employ to improve DNS security and reliability.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in July 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.