Securing Your DNS Configuration
DNS represents AD's foundation, and all clients connected to an AD require a working and correct DNS in order to access resources. DNS has had several security flaws with significant impact. From an attacker's point of view, an unsecured or relaxed DNS environment is probably the best attack vector against an AD. Microsoft's TechNet white paper on securing an AD environment discusses best practices for securing DNS, in Chapter 6 (http://technet2.microsoft.com/windowsserver/en/library/cc1eff0a-3a9e-46d2-8a7d-6b2e16461c711033.mspx).
One DNS attack vector is a Denial of Service (DoS), which, by causing too much traffic for example, causes the DNS service to fail to respond to legitimate client queries. Another attack vector is DNS poisoning , which means that an attacker successfully modifies entries in the DNS database, which then causes client requests to resolve incorrectly. All traffic is then sent to the attacker's machine, which can cause a lot of problems...
