When planning the security of DNS servers, you should prepare for attacks against both DNS clients and DNS servers. Either type of attack can lead to clients being directed to unauthorized DNS servers or referenced to incorrect servers by fraudulent DNS resource records. By implementing the following security measures, you can reduce the probability of a successful attack against your DNS servers. These measures increase the security of your DNS servers and lessen the chances of a successful attack:
Implementing Active Directory–integrated zones
Implementing separate internal and external DNS name servers
Restricting zone transfers
Implementing IP Security (IPSec) between DNS clients and DNS servers
Restricting DNS traffic at ...