Security experts have advised system administrators to use Non-Microsoft DNS configurations in their Active Directory setups.
Active Directory can be better protected when using Non-Microsoft DNS in Active Directory
Security expert Jeremy Moskowitz from PolicyPak Software advise system administrators to use alterntive DNS services and not rely solely on BIND when configuring Active Directory. Microsoft themselves have published an advisory that discusses this matter. This service is optional contrary to popular belief.
The main functions that an Active Directory performs are authentication, authorization and accounting (logging) of users and devices. Using third-party services can help protect networks and computer hosts in the event of a malicious attack. Some of the features offered by alternatives include:
- Adapted behavior protection from DNS attacks, malware and data filtration using customized DNS firewall solutions.
- Using advanced DNS and DHCP features to protect networks and hosts by using functions like Identity Mapping.
- Resolving queries and directing traffic according to the geographic location of the system.
- Advanced logging of events and intrusion points.
- Using a single solution for the internal and external DNS service.
- System-agnostic management of the DNS server.
- Increased security by adding additional authorization measures to the administration panel.
- Increased security by using IP-based access control features.
This suggestion comes after a careful review of the vulnerabilities that are used for intrusion against Active Directory networks. A vast majority of them are caused by weaknesses by the BIND service. When an administrator considers alternative options that have more features and provide additional protection policies, then it would be wise to look at such products.