Best Practices

Purpose¶

This document outlines best practices for DNS server configuration in Active Directory environments, focusing on both performance and security considerations. The goal is to enhance the stability, efficiency, and security of DNS infrastructure within enterprise networks.

Performance Best Practices¶

Redundancy and High Availability¶

• Always have at least two DNS servers, preferably three (1 master, 2 slaves). Ensures redundancy and high availability.

Internal DNS Usage¶

• Domain-joined computers should only use internal DNS servers. This ensures that end-user computers can always resolve internal resources and simplifies troubleshooting and management.
• Extended Reason: Using only internal DNS servers increases security and streamlines DNS operations.

DNS Server Self-Referencing¶

• A DNS server should have 127.0.0.1 loopback as a secondary or tertiary DNS server. Improves the DNS server’s own performance and availability.
• Extended Reason: Setting the loopback address as the primary DNS can prevent Active Directory from locating replication partners. Use as secondary or tertiary only.

DNS Server Prioritization¶

• Prioritize DNS servers based on proximity to endpoints. Assign the primary DNS server as the local server, and secondary as a remote branch server, to improve lookup speeds.

DNS Record Aging and Scavenging¶

• Enable DNS record aging/scavenging (preferably 7 days). Keeps DNS recordsets manageable, which improves lookup performance and troubleshooting.

Use of CNAME Records¶

• Use CNAME records for DNS aliasing. Avoid A records for aliases. Updating one host record updates all associated aliases, and PTR records remain properly configured.

Security Best Practices¶

Network Exposure¶

• DNS servers should never be publicly accessible from the internet. This prevents attackers from performing reconnaissance or planning attacks using exposed DNS infrastructure.

Administrative Access¶

• Restrict RDP/remote desktop access to DNS servers/domain controllers to a limited list of administrators. Reduces the risk of reconnaissance, reverse shell attacks, and malware installation.

Use of Slave DNS Servers¶

• End-users should be issued only replicated/slave DNS servers. Protects the master/authoritative DNS server from being directly exposed as an attack vector.
• Extended Reason: In branch office scenarios, assign the local replicated server as primary, and main office replicated servers as secondary and tertiary, keeping the master server isolated.

DNS Server Cache Lockdown¶

• Lock the DNS server cache to 100% (read-only). Prevents DNS cache poisoning by allowing cache changes only after TTL expiry.

DNS Logging¶

• Enable DNS logging. Facilitates troubleshooting and administration.

DNS Security Filtering¶

• Enable DNS security filtering via DNS forwarder or a security appliance. Use secure public DNS (e.g., 9.9.9.9) or a firewall appliance (e.g., Sophos XG Firewall) to add a security layer to all DNS queries.

Enable DNSSEC¶

• Enable DNSSEC (DNS Security Extensions). Protects against DNS record spoofing and related attacks.

DNS Socket Port Randomization¶

• Enable DNS socket port randomization. Prevents network attacks by making DNS queries originate from unpredictable ports.
• Note: Enabled by default on Windows Server 2016 and newer.

Additional Notes¶

Sources / References¶

• Active Directory Pro: DNS Best Practices
• Spiceworks: DNS Server Best Practice
• Microsoft Docs: Creating a DNS Infrastructure Design
• PhoenixNAP: DNS Best Practices Security
• Monitis: Best Practices for Active Directory Integrated DNS
• DNS Knowledge: Authoritative Name Server