-
Run separate authoritative and recursive DNS servers
-
Enable Debug Logging
-
Use CNAME Records for Alias (Instead of A Record)
-
DNS Order on Domain Controllers
-
Domain-joined Computers Should Only Use Internal DNS Servers
-
Use Anycast and Load-balancing
-
Implement Unified change management
-
Enable DNS Logging
-
Lock DNS Cache
-
Filter DNS Requests to Block Malicious Domains
-
Firewalls should be hardened to close unneeded ports
-
Allow queries only for your managed domains
-
Configure Access Control Lists
-
DNSSEC Deployment
-
DNSSEC Security Components Automation
-
Enable DNSSEC to ensure that DNS responses are digitally signed
-
Validate DNS Data Integrity with DNSSEC
DISCLAIMER: The information and code provided here are intended for educational and informational purposes only. The user assumes full responsibility for the use of this information and code. The provider of this information and code makes no representations or warranties, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information and code provided. Any reliance you place on such information and any use of this code is therefore strictly at your own risk. In no event will the provider be liable for any loss or damage including without limitation, indirect or consequential loss or damage, arising out of, or in connection with, the use of this information and code.