The SANS Internet Storm Center has been tracking a 0-day exploit out there compromising Windows DNS servers that are live on the Internet. I’d say this is a good reason to use Linux for such services, but that’s an argument for another day; there have certainly been DNS exploits on Linux DNS server software as well! But at Lakeview, we use an external service (in our case, DNS Made Easy) to host our DNS. They get to worry about it, fix it, keep the patches current…all we have to do is run our internal Windows Active Directory DNS services for our internal network, with recursive queries for outside domains. But our internal servers aren’t open to the internet. That way, as few ports as possible are open from the outside in. VPN and Exchange services (OWA, ActiveSync, HTTPS over RPC) are the only things open that I can think of off the top of my head (the fact that I’m not sure of all these means I need to double-check next week!) that are open from the outside, and those are published through our Microsoft ISA 2004 firewall, which inspects all this traffic to make sure it’s properly formed before letting it in as another security measure.

We’re even protected from external SMTP exploits against our Exchange server, because we use DefenderSoft Email Threat Center (an MXLogic reseller) to accept our incoming (and outgoing, for that matter) email. Our Exchange server’s SMTP service can only accept connections from their email servers, and nowhere else, so it’s not truly open to exploit, since external servers can only get to us through them. This cuts down on spam as well (which could otherwise come through to our server, bypassing the spam filtering), which is a good side benefit.

If you don’t already keep your firewall locked down as tight as possible, keep your eye on the SANS ISC for a while. It’ll scare some sense into you :-)