locked
Condifgure the DNS server to allow recursive DNS queries only from trusted networks RRS feed

  • Question

  • My DNS server is Windows server 2003.

    I know how Linux or Unix  DNS server use BIND to do it.

    But how  do Window 2003 DNS server  allow recursive DNS queries only from trusted networks

    Thursday, February 23, 2012 9:32 AM

Answers

All replies

  • Hi Jerome,

    Thanks for posting in Windows Server forum.

    By default, recursion is enabled for the DNS Server service. It is possible to query the remote name server for third party names. Do not like BIND that we can define a group of internal addresses using recursive query. For Windows DNS server if recursive enabled, then if allows anyone to use it to resolve recursive query.

    In addition, please note attackers can use recursion to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, recursion should be disabled on that server.

    Disable Recursion on the DNS Server
    http://technet.microsoft.com/en-us/library/cc771738.aspx

    Checklist: Secure Your DNS Server
    http://technet.microsoft.com/en-us/library/cc770432.aspx


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    Friday, February 24, 2012 6:56 AM
  • But I have several trusted domains, and I create forwarders for these trust domains. If I disable recursion, I am not able user forwarder.

    So this is the problem.

    Friday, February 24, 2012 7:15 AM

  • Hi,

    I understand that we need to use forwarders on this DNS server, so disable recursion on this server is unavailable. As I said, we cannot restrict recursion query based on the IP addresses for domain DNS server. However, we can check the Do not use recursion for this domain under forwarders tab. It can prevent to use root hints for restrict query.

    The detailed query process:
    If the DNS server cannot resolve the name, it will forward to the server list in forwarders.
    If the forwarder still cannot resolve, this operation will stop send the query to root hints. And the query failed.



    In addtion, you may refet to the following thread disscus on the recursive query. Hope it helps.

    http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/e117f600-4dea-4fcf-8827-eb2a34c49391


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    Friday, February 24, 2012 9:29 AM
  • Hi Aiden Cao,

    Thank you very much. I get lots of helpful inofrmation from your post.

    I am not sure if my understanding is correct.

    If I want to allow internet access, I have to allow recursive query.

    Although I can use recurison only for the truseted domains, what aobut most of the internet domain name?

    Yes, I can forward all the other queries to another DNS proxy, but the proxy have to allow recursive querey, the proxy also have the same risk.

    As I understand, I have to user a Linux BIND DNS server as the proxy, so I can drop the risk.

    Am I correct?

    Saturday, February 25, 2012 7:28 AM
  • Hi,

    Yes, your understanding is correct. In order to access Internet, we cannot disable recursive. However, I do not exactly know what security level you want to achieve. General speaking, point your Internal DNS to DNS proxy (through firewall) will provide relatively secure infrastructure for most case. 

    For your information, please refer to the following articles:

    Interoperability with BIND
    http://technet.microsoft.com/en-us/library/cc755717(v=ws.10).aspx

    Security information for DNS
    http://technet.microsoft.com/en-us/library/cc783606(v=ws.10).aspx


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    • Marked as answer by Jerome Xiong Wednesday, February 29, 2012 3:11 PM
    Wednesday, February 29, 2012 8:40 AM
  • I am also looking for a solution to filter answers to recursive queries like linux dns can do but so far no luck.

    If anyone has a solution for this, I can't wait to hear it.....


    Friday, August 3, 2012 12:30 PM
  • Hi,

    Check out "simple dns".

    Tuesday, August 7, 2012 6:31 AM
  • The only way to accomplish what you are all asking is to add 2 more Active Directory DNS servers to your network.

    Essentially this is what you would have:

    • 2 Internal Active Directory DNS Servers with Recursion Enabled.
    • 2 External Active Directory DNS Servers with Recursion Disabled.

    You would then block all Port 53 Traffic from the Outside to your two Internal DNS Servers

    And set all your clients to use the Internal DNS Servers via DHCP.

    Allow all UDP 53 Trafic from the Outside to your two External DNS Servers.

    That will eliminate your Recursion issues.  But it will also add two more boxes to your network.  I would also suggest you look into some of the virtualization technologies out there so that you can maximize your hardware use with these boxes, since they may not need a ton of resources.

    Good Luck,

    Jeremy


    • Proposed as answer by J Cox Tuesday, April 16, 2013 3:22 PM
    • Edited by J Cox Tuesday, April 16, 2013 3:24 PM
    • Unproposed as answer by J Cox Tuesday, April 16, 2013 3:27 PM
    • Proposed as answer by S Marco Tuesday, April 16, 2013 3:39 PM
    Tuesday, April 16, 2013 3:22 PM
  • I am facing the same problem. And I don't quite understand the solution. To avoid DDos attack, I have to disable recursion, but that means my internal servers cannot use it. So I need two internal DNS with recursion enabled and two external with recursion disabled.

    That sounds like a very poor solution. Also I am wonderring how those commercial DNS work, they need provide recursion support, right? how they avoid those attack?


    WYX

    Sunday, June 2, 2013 12:33 AM
  • Jeremy,

    Thank you!  You gave me an idea I have been trying to solve for about a month now.  Recursions allowed only on Internal DC's and Disabled on EXTERNAL DNS servers - to serve domain, mail, dns, etc.

    Make sure the external DNS doesn't reference the internal servers, otherwise the recursion will simply continue utilizing the internal servers.

    Thanks,

    Ray

    Sunday, June 30, 2013 5:15 PM
  • Also, If you are being attacked like I have been by DDoS, remove your root hints as well!

    Thanks,

    Ray

    Monday, July 1, 2013 12:12 AM
  • WYX.  I am doing it with 3 servers.  2 Internal and 1 External.  You should have 2 Internal DC's anyways so I am not sure what the big deal is?  Both are Host machines and the External is a VM.

    Thanks,

    Ray

    Monday, July 1, 2013 12:16 AM
  • Hi J.

    Hi have the same exact scenario (2+2) on my environment but when I disabled recursive queries on my external DNS (Windows Server 2012), I ceased to be able to do windows updates to the server because it cannot resolve names.

    Is there a way to solve this problem?

    Thanks in advance for your help!

    Cheers!

    Thursday, August 27, 2015 2:27 PM