securing win2k DNS server

Ok, hosting my own DNS server here. The reason I'm hosting it is because I also host a webserver here. I registered a domain name through NAMESECURE . I specified to NAMESECURE that I will be using my own DNS server and not theirs.

I have done the following on my win2k DNS server:

-fully patched
-removed file and print sharing
-only running DNS (nothing else. no IIS, no AD)
-disallowed zone transfers
-disallowed dynamic updates
-disabled recursion

Question: Should this DNS server be allowed to query root servers? I'm guessing it shouldnt?  I added A records for the address of my webserver.  That is all that is in the current forward lookup zone.

What else should I do to secure this box?
Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I always start with the authoritative security lockdown guides published by Microsoft:

Windows 2000 Security Hardening Guide 

Microsoft Solution for Securing Windows 2000 Server 

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP 

Then a few quick tips that are proven to make it very difficult for someone to "own" your server:
- Configure all privileged accounts with *very* strong passwords
- configure an IPSec "block" policy to allow Internet addresses to access only 53/tcp and 53/udp
- reconfigure Terminal Services RDP permissions to allow only a specific user (or group of users) to connect to the server via Terminal Services/Remote Desktop connections (the default is Administrators get to use TS)
- configure Automatic Updates to automatically download and install all patches on a daily basis (you have a far greater chance of someone "owning" your box due to a zero-day exploit, than you have of that server being "harmed" by a critical security update)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
This DNS server actually isnt part of a domain. Its stand alone. Did kill a lot of un-needed services though.
Probably going to move DNS server to its own VLAN and use IP access lists to control who accesses it (ie: only let a certain range of IPs to resolve).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.