none
open dns resolver issues on windows server 2008 R2

    Question

  • my client is running a windows 2008 r2 server with dns and dhcp roles. it's not a domain controller, just a workgoup server.

    got a notification from my client's isp:

    "These attacks have been facilitated through DNS
    amplification attacks. AT&T has detected these attacks and has confirmed
    that the IP address x.x.x.x allocated to your Internet access account is
    accessible from the Internet as an open DNS resolver. "

    tried disabling recursion, but then there is no access to the internet.

    tried disabling the firewall rule for dns udp, and no access to the internet.

    does anyone have any idea how to correct this? do i need to add a public dns server to my dhcp scope for internet access? if i do, then what good is a dns server and it doesn't resolve internet addresses?


    Gary

    Thursday, September 05, 2013 4:25 AM

Answers

  • Just to add, I was wondering why you had port 53 opened to your DNS servers. And just to point out, that rule you created is a port translation rule that allows access to your DNS server from the internet, just as if you had created a rule to allow access to an internal web server for public use, or for allowing webmail (OWA) access from the internet to your internal mail server.

    What you did, as Keith said, will stop that, but to further point out, the rules are not really needed again, I would just remove the rules completely. For internet access, such as allowing your users to access websites, your DNS to resolve external names (whether using Root hints or a Forwarder), just about any firewall will allow that out-of-the-box. In some firewalls, you have to create a rule to the outside untrusted interface to "allow established" meaning when an internal request goes to an outside resource, such as a website, to allow the response back in.

    The only time you want to create rules is either you want to allow inbound traffic with a port translation rule (such as what you originally unknowingly did for TCP & UDP 53) to a web server, OWA, SMTP traffic to a mail server, etc.), otherwise, leave it out of the box.

    -

    As for what the ISP is concerned about regarding DNS amplification attacks, is that they are a fairly recent method for attackers to create a DOS (denial of service). You can read up at a couple of recent discussions about what all that means in the following threads, with ways to stop or mitigate them.

    Best way to reduce or disable DNS amplification for external DNS?, Sunday, June 16, 2013 6:08 PM
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/d087a768-2075-49e4-afec-4fd23b50af0a/best-way-to-reduce-or-disable-dns-amplification-for-external-dns

    Protecting Windows DNS Server from being abused for DNS amplification attacks, Wednesday, April 10, 2013 8:05 AM
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac86dc7-779d-48eb-a113-9c06c2222af9/protecting-windows-dns-server-from-being-abused-for-dns-amplification-attacks


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Gkeramidas Sunday, September 08, 2013 8:50 PM
    Sunday, September 08, 2013 7:51 PM
  • Hi Gary, sorry I completely forgot I hadn't replied to this!

    Yes that should do it, since you presumably don't need the DNS server to be accessible from the internet that's all you should need. You can check to make sure by using one of the many tools online for testing for open dns resolvers, for instance http://www.thinkbroadband.com/tools/dnscheck.html

    Good point about the forwarders, but sure what I was thinking when I wrote that as you're quite right. You don't need to worry about that anyway since you're completely blocking external DNS access. If you needed to allow external access then you'd need to consider the DNS server settings themselves.

    • Proposed as answer by Ace Fekay [MCT]MVP Sunday, September 08, 2013 7:51 PM
    • Marked as answer by Gkeramidas Sunday, September 08, 2013 8:50 PM
    Sunday, September 08, 2013 2:24 PM

All replies

  • I'd suggest you need to adjust your firewall to block external access to the DNS server, not block the server from making DNS requests out of your the network. How exactly that's done depends on your firewall, but you should be able to allow the server to make connections to the internet without allowing direct connections in from the outside.

    The other option would be to disable recursion and add an external DNS resolver to the forwarders list on the DNS server, so the server will then query that external source for the information and the clients will continue to get the responses from the server. That way the server is also able to cache the responses, so multiple clients wanting the same information only require a single external lookup.

    Thursday, September 05, 2013 6:21 AM
  • thanks for the information, keith.

    a couple things:

    1. i have a rule in the router's firewall to aloow port 53. so, what i did, was create another rule to deny requests on port 53 on the wan port of the router. i performed a test and it now shows my client's ip is not an open dns resolver. is what i did ok?

    2. you mention disabling recursion an adding an external dns resolver. in windows server 2008 r2, how would i do this? disabling recursion says it disables forwarders. so, i'm unlcear how or where to configure this.

    thanks again


    Gary

    Thursday, September 05, 2013 1:02 PM
  • Hi Gary, sorry I completely forgot I hadn't replied to this!

    Yes that should do it, since you presumably don't need the DNS server to be accessible from the internet that's all you should need. You can check to make sure by using one of the many tools online for testing for open dns resolvers, for instance http://www.thinkbroadband.com/tools/dnscheck.html

    Good point about the forwarders, but sure what I was thinking when I wrote that as you're quite right. You don't need to worry about that anyway since you're completely blocking external DNS access. If you needed to allow external access then you'd need to consider the DNS server settings themselves.

    • Proposed as answer by Ace Fekay [MCT]MVP Sunday, September 08, 2013 7:51 PM
    • Marked as answer by Gkeramidas Sunday, September 08, 2013 8:50 PM
    Sunday, September 08, 2013 2:24 PM
  • Just to add, I was wondering why you had port 53 opened to your DNS servers. And just to point out, that rule you created is a port translation rule that allows access to your DNS server from the internet, just as if you had created a rule to allow access to an internal web server for public use, or for allowing webmail (OWA) access from the internet to your internal mail server.

    What you did, as Keith said, will stop that, but to further point out, the rules are not really needed again, I would just remove the rules completely. For internet access, such as allowing your users to access websites, your DNS to resolve external names (whether using Root hints or a Forwarder), just about any firewall will allow that out-of-the-box. In some firewalls, you have to create a rule to the outside untrusted interface to "allow established" meaning when an internal request goes to an outside resource, such as a website, to allow the response back in.

    The only time you want to create rules is either you want to allow inbound traffic with a port translation rule (such as what you originally unknowingly did for TCP & UDP 53) to a web server, OWA, SMTP traffic to a mail server, etc.), otherwise, leave it out of the box.

    -

    As for what the ISP is concerned about regarding DNS amplification attacks, is that they are a fairly recent method for attackers to create a DOS (denial of service). You can read up at a couple of recent discussions about what all that means in the following threads, with ways to stop or mitigate them.

    Best way to reduce or disable DNS amplification for external DNS?, Sunday, June 16, 2013 6:08 PM
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/d087a768-2075-49e4-afec-4fd23b50af0a/best-way-to-reduce-or-disable-dns-amplification-for-external-dns

    Protecting Windows DNS Server from being abused for DNS amplification attacks, Wednesday, April 10, 2013 8:05 AM
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac86dc7-779d-48eb-a113-9c06c2222af9/protecting-windows-dns-server-from-being-abused-for-dns-amplification-attacks


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Gkeramidas Sunday, September 08, 2013 8:50 PM
    Sunday, September 08, 2013 7:51 PM
  • thanks, i'll do that.

    Gary

    Sunday, September 08, 2013 8:49 PM
  • no problem, thanks for your help.

    Gary

    Sunday, September 08, 2013 8:49 PM
  • You are welcome. Post back with your results or if you have any questions.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, September 08, 2013 9:07 PM
  • I realize this is an old thread and probably resolved but I add this comment only for those that may come across this thread, as I did, while searching for a solution for an open DNS resolver. I agree with Keith check your firewall or in my case your router. Disabling recursion on my DNS server did not fix the open DNS issue. However after looking at my router I found that DNS proxy was enabled, oops must have done it when I was setting up my vlans. Once I disabled DNS proxy on my router the open DNS issue was gone even with recursion enabled on my DNS server. Just on a side note all my vlans still have DNS resolution.



    • Edited by Sam Frangel Saturday, September 20, 2014 2:05 AM
    Saturday, September 20, 2014 2:00 AM