none
DNS Recursion

    Soru

  • We had an external security threat done that said we were open to dns pollution and the fix was to disable recursion. However I see that with disable recursion, "(also disables forwarders)" is there. If I check that, won't that mean that any website that is not in our own dns will not be able to be found by computers that are using this server as a primary DNS server? Should I leave this unchecked? Is there a better solution? Thanks,
    14 Temmuz 2010 Çarşamba 16:20

Yanıtlar

  • We had an external security threat done that said we were open to dns pollution and the fix was to disable recursion. However I see that with disable recursion, "(also disables forwarders)" is there. If I check that, won't that mean that any website that is not in our own dns will not be able to be found by computers that are using this server as a primary DNS server? Should I leave this unchecked? Is there a better solution? Thanks,

    What operating system is the DNS server?

    Under Windows 2003 and newer, "Secure cache against pollution" is enabled by default. Windows 2000 it needs to be set. I think that this setting should suffice for internal needs and prevent DNS pollution.

    Also, which settings are you referring to?

    If Do not use recursion for this domain is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers or the Root Hints) if the forwarders cannot resolve the query. This setting pretty much disables Root Hints forcing it to only rely on the Forwarders.

    If Disable recursion under the Advanced Tab is set, (which this setting completely disables forwarders), the server will attempt to resolve a query from its own database only. It will not query any additional servers. This is normally set for content only nameservers, such as for web hosting companies that also host numerous domain names for their customers but don't want anyone else to use it as a DNS server to resolve outside names.

    If this is an internal DNS server and not exposed to the internet, "Secure cache against pollution" is set, and it's not offering public nameserver services for any public records, I think you will be find and would leave it alone.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    15 Temmuz 2010 Perşembe 04:36
  • Hi,

    Thanks for the post.

    I will second the Ace's suggestion.

    You could view the DNS cache pollution settings, use the following steps:

    1. Open the DNS Management Console by clicking Start, Programs, Adminstrative Tools, and then clicking DNS.
    2. Right click on the server name in the left window pane.
    3. Choose Properties.
    4. Choose the Advanced tab.
    5. Confirm that the "Secure cache against pollution" check box is selected.

    You can also check the current setting by running the following command at a command prompt: Dnscmd /Info /SecureResponses

    Thanks,

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    15 Temmuz 2010 Perşembe 07:31
    Moderatör

Tüm Yanıtlar

  • We had an external security threat done that said we were open to dns pollution and the fix was to disable recursion. However I see that with disable recursion, "(also disables forwarders)" is there. If I check that, won't that mean that any website that is not in our own dns will not be able to be found by computers that are using this server as a primary DNS server? Should I leave this unchecked? Is there a better solution? Thanks,

    What operating system is the DNS server?

    Under Windows 2003 and newer, "Secure cache against pollution" is enabled by default. Windows 2000 it needs to be set. I think that this setting should suffice for internal needs and prevent DNS pollution.

    Also, which settings are you referring to?

    If Do not use recursion for this domain is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers or the Root Hints) if the forwarders cannot resolve the query. This setting pretty much disables Root Hints forcing it to only rely on the Forwarders.

    If Disable recursion under the Advanced Tab is set, (which this setting completely disables forwarders), the server will attempt to resolve a query from its own database only. It will not query any additional servers. This is normally set for content only nameservers, such as for web hosting companies that also host numerous domain names for their customers but don't want anyone else to use it as a DNS server to resolve outside names.

    If this is an internal DNS server and not exposed to the internet, "Secure cache against pollution" is set, and it's not offering public nameserver services for any public records, I think you will be find and would leave it alone.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    15 Temmuz 2010 Perşembe 04:36
  • Windows Server 2003 SP and Windows XP Pro SP3 as client

    Does disabling of recursion on dns server lead to disabling of dns cache on client (and on server)?

    Added later:
    Are flushdns (ipconfig /flushdns) and "clear the DNS cache" synonyms?

    Here is exam prep question
    (I know you cannot condone them):

    QUESTION
    You have a DNS server that runs Windows Server 2003 Service Pack 2 (SP2).

    You need to prevent the DNS server from resolving host names on the Internet.

    What should you do?

    Answers:
    A - Disable recursion. 
    B - vgv8 dropped
    C - vgv8 dropped
    D - Clear the DNS cache.

    15 Temmuz 2010 Perşembe 06:17
  • Hi,

    Thanks for the post.

    I will second the Ace's suggestion.

    You could view the DNS cache pollution settings, use the following steps:

    1. Open the DNS Management Console by clicking Start, Programs, Adminstrative Tools, and then clicking DNS.
    2. Right click on the server name in the left window pane.
    3. Choose Properties.
    4. Choose the Advanced tab.
    5. Confirm that the "Secure cache against pollution" check box is selected.

    You can also check the current setting by running the following command at a command prompt: Dnscmd /Info /SecureResponses

    Thanks,

    Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    15 Temmuz 2010 Perşembe 07:31
    Moderatör
  • Windows Server 2003 SP and Windows XP Pro SP3 as client

    Does disabling of recursion on dns server lead to disabling of dns cache on client (and on server)?

    Added later:
    Are flushdns (ipconfig /flushdns) and "clear the DNS cache" synonyms?

    Here is exam prep question
    (I know you cannot condone them):

    QUESTION
    You have a DNS server that runs Windows Server 2003 Service Pack 2 (SP2).

    You need to prevent the DNS server from resolving host names on the Internet.

    What should you do?

    Answers:
    A - Disable recursion. 
    B - vgv8 dropped
    C - vgv8 dropped
    D - Clear the DNS cache.


    vgv8,

    Mandrews' questions in this thread which he started is in regards to DNS server side settings and how it handles recursion (or "lookups" for querying clients.

    Your first question asking, "Does disabling of recursion on dns server lead to disabling of dns cache on client (and on server)?" is client side settings related. To explain this answer requires a little background to understand the answer. They are not related because each computer whether a server or non-server, has a Client Side Resolver service that handles resolution, which maintains and controls the client side resolver cache. The cache stores lookups it has previously asked. The Client Side Resolver service has it's own independent algorithm. If you want to disable the local Client Side Resolver services, simply disable the DNS Client Service. Disabling this service will disable caching of prior queries and forces it to re-query the same record each time the system needs to look it up.

    More info on this service: How to Disable Client-Side DNS Caching in Windows XP and Windows
    http://support.microsoft.com/kb/318803

    Added later:
    Are flushdns (ipconfig /flushdns) and "clear the DNS cache" synonyms?
    YES.

    To answer the exam question, based on my response and explanation to mandrews1234's question, you would disable recursion under the Advanced Tab, not under the Forwarders tab.

    It's not that I don't condone exam questions, it's that I don't condone braindump questions. There's a major difference. Having taken numerous Microsoft exams over the past 15 years, you tend to recognize actual exam questions.

    I hope I was able to answer your questions in a manner that was understandable.

    I also hope I was able to answer mandrews1234's questions in his/her thread.

    Ace

     

     

     

     

     


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    15 Temmuz 2010 Perşembe 12:58
  • I understood the requirement:
    "You need to prevent the DNS server from resolving host names on the Internet"
    as requirement to prevent internal clients from resolving the host names on internet
    (external clients would find their own more proper for them DNS servers).

    What I have asked was not about how to disable dns cache but:
    Would  disabling of recursion on dns server  prevent (implied as immediately) dns clients from resolving the host names on internet
    (TTL is usually 48 hours)? 

    Added later:
    Otherwise, the question simply has no choice for correct answer
    (brainddumped it or brainwashed) 

    • Düzenleyen vgv8 15 Temmuz 2010 Perşembe 15:10
    15 Temmuz 2010 Perşembe 14:53
  • Thanks for everyone's help. Let me see if I can simplify my question. We have a dns server, we host around 120 sites. All of our internal PCs use this dns server as the primary dns server. We ONLY have DNS entries for the sites we host. My question is, if I check disable recursion, will that mean that all of our internal pcs won't be able to find any sites that aren't in our DNS? I.E. since we don't have any DNS records for google.com and our pcs use this as a primary dns server, will they not be able to find google.com? I don't think I quite understand how the disable recursion works yet.
    15 Temmuz 2010 Perşembe 15:02
  • Thanks for everyone's help. Let me see if I can simplify my question. We have a dns server, we host around 120 sites. All of our internal PCs use this dns server as the primary dns server. We ONLY have DNS entries for the sites we host. My question is, if I check disable recursion, will that mean that all of our internal pcs won't be able to find any sites that aren't in our DNS? I.E. since we don't have any DNS records for google.com and our pcs use this as a primary dns server, will they not be able to find google.com? I don't think I quite understand how the disable recursion works yet.
    Yes, that's correct. Disabling Recursion under the Advanced tab will eliminate internet resolution. So if the DNS server doesn't host a zone, such as google.com, it won't look elsewhere, therefore it can't resolve it. I think that leaving this option unchecked, and making sure Prevent DNS Pollution setting is set, you should be fine, and your folks will still be able to resolve internet names. Ace
    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    15 Temmuz 2010 Perşembe 17:59
  • That's what I thought, I just wanted to be sure before I told the brass. Thanks,
    15 Temmuz 2010 Perşembe 19:03
  • That's what I thought, I just wanted to be sure before I told the brass. Thanks,

    You are welcome!
    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    15 Temmuz 2010 Perşembe 22:46
  • I understood the requirement:
    "You need to prevent the DNS server from resolving host names on the Internet"
    as requirement to prevent internal clients from resolving the host names on internet
    (external clients would find their own more proper for them DNS servers).

    What I have asked was not about how to disable dns cache but:
    Would  disabling of recursion on dns server  prevent (implied as immediately) dns clients from resolving the host names on internet
    (TTL is usually 48 hours)? 

    Added later:
    Otherwise, the question simply has no choice for correct answer
    (brainddumped it or brainwashed) 

    One of your original questions was:

     "Does disabling of recursion on dns server lead to disabling of dns cache on client (and on server)?"

    The answer to that is No.

    Your next question:

    Would  disabling of recursion on dns server  prevent (implied as immediately) dns clients from resolving the host names on internet
    (TTL is usually 48 hours)?
     

    If you check Disable Recursion under the Adv Tab, yes, it will prevent DNS from resolving anything on the internet or elsewhere. The record's TTL has nothing to do with it.

    Late Edit/Addition: Originally misunderstanding your TTL reference and context in your question, I had to add this paragraph. If you disable recursion on the server, based on your "implied immediately," then the client will continue to use whatever is in it's cache that's been previously resolved until the record's TTL has expired.

    Based on the exam prep question you originally posted and the possible choice of two answers you provided (A or D), the best answer out of the two was A, to disable recursion.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    15 Temmuz 2010 Perşembe 22:54