[DNS] Server 2012 R2 DNS Recursion

[limok]

Hi,

 

I've got a little lab set up at home with Server 2012 R2 acting as AD/DNS. I've got DNS set up so that my client PCs connect to the R2 box to resolve internet names, the R2 has a forwarder that points to my ISP's DNS server. Now the problem I have is that my server is acting as an open DNS resolver which apparently is bad, I've googled around and found that disabling DNS recursion will fix this but it will also disable forwarding.

 

The question is how can I use my R2 box as a DNS server, resolving internet names for my client PCs and stop acting as an open DNS resolver?

 

Cheers guys!

[AStaUK]

Is disabling DNS recursion relevant in a small test setup, my understanding is by disabling DNS recursion you are effectively saying stop processing further DNS queries at this point?  I would think this is for larger networks where you have multiple DNS servers with possibly multiple domains, not entirely certain how this would be setup as my network is relatively small, but I'm sure there are people with far more experience than myself who will be able to answer.

[+BudMan MVC]

Yeah public sourced unsolicited traffic should not be forwarded to your AD/DNS.

 

While you do need to support recursion to have your server lookup say www.google.com for your clients - didn't 2012 allow for views where you can limit who the server will do recursion for.  So you limit the recursion to only local network boxes, and prevent it from anything else and also turn off dns inbound into your DNS from the public internet.

 

Yeah dns and ntp attacks have become very popular again ;)  Opening up such services to the public net requires some work to make sure your safe.

 

Hmmm - quick google and I don't see 2012 supporting views yet?  Maybe my googlefu is off today?  But the issue goes away if you just don't let the internet talk to your DNS, since your not hosting dns to the public internet there would be no reason to allow unsolicited traffic to your DNS box..  Doing so is asking for security issues.

[culmor]

Do you have DNS (port 53) open on your firewall inbound from the internet? If your just forwarding requests I'd use google dns 8.8.8.8 and 8.8.4.4 and let your router handle the outbound requests via NAT?

 

If your hosting sites that require your DNS server to resolve the requests then build a forward facing DNS server thats not an AD Server and is separate from your internal DNS server.

 

Alternatively look at :

http://www.rackspace.com/knowledge_center/article/preventing-dns-amplification-attacks-via-the-windows-firewall-in-windows-2008-r2-or-windows

[limok]

I've set windows firewall on dns port 53 incoming for tcp/udp to allow requests only from my internal network.

 

Thanks.

[+BudMan MVC]

"I've set windows firewall on dns port 53 incoming for tcp/udp to allow requests only from my internal network."

 

AND why is your windows firewall even seeing traffic from the internet to dns port 53 in the first place?  Do you have your server in the DMZ or something?  What ports do you have forwarded on your router?