Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Deny Recursive DNS Queries from External Hosts

Status
Not open for further replies.
jebenson

jebenson

Technical User
Feb 4, 2002
2,956
US
Hello all,

I recently got dinged in a security audit because my DNS server allows external hosts to perform recursive DNS queries. My DNS server is a Win 2003 Server.

I am unsure how to set this up properly. In the DNS Server properties, on the Forwarders tab, I have "Do not use recursion for this domain" checked, but it was checked at the time of the audit and didn't prevent the external recursive queries.

So, anybody know how I can do this?

Thanks,
jebenson

I used to rock and roll every night and party every day. Then it was every other day. Now I'm lucky if I can find 30 minutes a week in which to get funky. - Homer Simpson

Arrrr, mateys! Ye needs ta be preparin' yerselves fer Talk Like a Pirate Day!
 
Sort by date Sort by votes
DNS queries are made on a standard port, 53 if I recall correctly. Can you firewall this port for those that aren't on your network?



 
Upvote 0 Downvote

Yes I can, but this DNS is authoritative for my domain. When I block TCP 53 and UDP 53 at the firewall, external DNS queries such as a reverse lookup for my web or email servers fail.

However, I believe I have resolved this issue. There are 2 places in the Windows DNS server configuration dialog where one can disable recursion. One of them (on the Forwarders tab) apparently does nothing as far as I can tell. The other one is on the Advanced tab and that one seems to actually work.



I used to rock and roll every night and party every day. Then it was every other day. Now I'm lucky if I can find 30 minutes a week in which to get funky. - Homer Simpson

Arrrr, mateys! Ye needs ta be preparin' yerselves fer Talk Like a Pirate Day!
 
Upvote 0 Downvote
Forwarders tab" apply check mark for "Do Not Use Recursion for this domain"

Under "advanced" tab... uncheck for "Disable recusion.."

Firewall setting for server... DNS outgoing unblocked or restrict to trusted ISPs (forwarders), block incoming for servers not needing incoming DNS. Personally I block DNS at the firewall for all workstations out/in, as this stops any chance of malware/virus redirecting requests to other then the internal DNS servers.
In the forwarder tab, add your ISP's DNS servers IP addresses (2 addresses)and IP addresses from another trusted ISP (2 entries).. the second ISP entries helps if your ISP's DNS servers have issues or are changed without notice.. it happens.


........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

KenMeans
  • Locked
  • Question
DNS Issues with wireless router behind Atlantic Broad band Business Modem
Replies
0
Views
10K
KenMeans
KenMeans
alpha76
  • Locked
  • Question
Advice on DNS setup/configuration
Replies
3
Views
11K
technome
technome
tbright
  • Locked
  • Question
DNS reverse lookup errors: zone 1.168.192.in-addr.arpa/IN: has no NS records
Replies
1
Views
12K
tbright
tbright
Richard Carter
  • Locked
  • Question
Set up BIND on DNS server for local home server
Replies
0
Views
10K
Richard Carter
Richard Carter
rvirene
  • Locked
  • Question
MS DNS / Powershell Script Question
Replies
2
Views
11K
rvirene
rvirene

Part and Inventory Search

Sponsor

Back
Top