The following Domain Name System (DNS) client considerations have security implications for DNS clients in a DNS infrastructure.

Whenever possible, specify static IP addresses for the preferred and alternate DNS servers that a DNS client uses

If a DNS client is configured to obtain its DNS server addresses automatically, it obtains them from a Dynamic Host Configuration Protocol (DHCP) server. While this method of obtaining DNS server addresses is secure, it is only as secure as the DHCP server. By configuring DNS clients with static IP addresses for the preferred and alternate DNS servers, you may eliminate one possible avenue of attack.

For more information, see; Enable DNS for DHCP-Enabled Clients.

Control which DNS clients have access to the DNS server

If a DNS server is configured to listen only on specific IP addresses, only DNS clients that are configured to use these IP addresses as preferred and alternate DNS servers will contact the DNS server.

For more information, see Restrict a DNS server to listen only on selected addresses.

For more information, see Security Information for DNS.