By default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries using all of its IP addresses. You can make the DNS server more secure by limiting the IP addresses that the DNS Server service listens on to the IP address that is used by its DNS clients as their preferred DNS server.
Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Restricting a DNS server to listen only on selected addresses
|
To restrict a DNS server to listen only on selected addresses using the Windows interface |
-
Open DNS Manager.
-
In the console tree, click the applicable DNS server.
Where?
- DNS/applicable DNS server
- DNS/applicable DNS server
-
On the Action menu, click Properties.
-
On the Interfaces tab, click Only the following IP addresses.
-
In IP address, type an IP address to be enabled for this DNS server , and then click Add.
-
Repeat the previous step as necessary to specify other server IP addresses to be enabled for this DNS server.
To remove an IP address from the list, click it, and then click Remove.
Additional considerations
- To open DNS Manager, click Start,
point to Administrative Tools, and then click
DNS.
- By default, the DNS Server service listens
for DNS message communications on all configured IP addresses for
the server computer.
- Server IP addresses that are added here must
be managed statically. If you later change or remove the addresses
specified here from the TCP/IP configurations that are maintained
at this server, update this list accordingly.
- After you update or revise the list of
restricted interfaces, you must stop and restart the DNS server to
apply the new list.
- Restricting the DNS Server service to only
listen on specific IP addresses is an effective security measure
because only hosts on the same network subnet, or hosts with a
router that connects them to that same segment, have access to the
server.
|
|
To restrict a DNS server to listen only on selected addresses using a command line |
-
Open a command prompt.
-
Type the following command, and then press ENTER:
dnscmd <ServerName> /ResetListenAddresses [<ListenAddress> ...]
| Parameter | Description |
|---|---|
|
dnscmd |
Specifies the name of the command-line tool for managing DNS servers. |
|
<ServerName> |
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). |
|
/ResetListenAddresses |
Required. Resets the IP addresses of the interfaces on which the DNS server listens. |
|
<ListenAddress> ... |
Specifies one or more IP addresses for the interfaces on which you want the DNS server to listen. By default, the DNS Server service listens for DNS message communications on all configured IP addresses for the server computer. |
To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /ResetListenAddresses /help
Addiditonal considerations
- To open an elevated Command Prompt window,
click Start, point to All Programs, click
Accessories, right-click Command Prompt, and then
click Run as administrator.
- Server IP addresses that you add here must be
managed statically. If you later change or remove the addresses
specified here from the TCP/IP configurations that are maintained
at this server, update this list accordingly.
- After you update or revise the list of
restricted interfaces, you must stop and restart the DNS server to
apply the new list.
- Restricting the DNS Server service to listen
only on specific IP addresses is an effective security measure
because only hosts on the same network subnet, or hosts with a
router that connects them to that same segment, have access to the
server.