[DNS] Server 2012 R2 DNS Recursion


Recommended Posts

Hi,

 

I've got a little lab set up at home with Server 2012 R2 acting as AD/DNS. I've got DNS set up so that my client PCs connect to the R2 box to resolve internet names, the R2 has a forwarder that points to my ISP's DNS server. Now the problem I have is that my server is acting as an open DNS resolver which apparently is bad, I've googled around and found that disabling DNS recursion will fix this but it will also disable forwarding.

 

The question is how can I use my R2 box as a DNS server, resolving internet names for my client PCs and stop acting as an open DNS resolver?

 

Cheers guys!

Link to comment
https://www.neowin.net/forum/topic/1202199-dns-server-2012-r2-dns-recursion/
Share on other sites

Is disabling DNS recursion relevant in a small test setup, my understanding is by disabling DNS recursion you are effectively saying stop processing further DNS queries at this point?  I would think this is for larger networks where you have multiple DNS servers with possibly multiple domains, not entirely certain how this would be setup as my network is relatively small, but I'm sure there are people with far more experience than myself who will be able to answer.

Yeah public sourced unsolicited traffic should not be forwarded to your AD/DNS.

 

While you do need to support recursion to have your server lookup say www.google.com for your clients - didn't 2012 allow for views where you can limit who the server will do recursion for.  So you limit the recursion to only local network boxes, and prevent it from anything else and also turn off dns inbound into your DNS from the public internet.

 

Yeah dns and ntp attacks have become very popular again ;)  Opening up such services to the public net requires some work to make sure your safe.

 

Hmmm - quick google and I don't see 2012 supporting views yet?  Maybe my googlefu is off today?  But the issue goes away if you just don't let the internet talk to your DNS, since your not hosting dns to the public internet there would be no reason to allow unsolicited traffic to your DNS box..  Doing so is asking for security issues.

Do you have DNS (port 53) open on your firewall inbound from the internet? If your just forwarding requests I'd use google dns 8.8.8.8 and 8.8.4.4 and let your router handle the outbound requests via NAT?

 

If your hosting sites that require your DNS server to resolve the requests then build a forward facing DNS server thats not an AD Server and is separate from your internal DNS server.

 

Alternatively look at :

http://www.rackspace.com/knowledge_center/article/preventing-dns-amplification-attacks-via-the-windows-firewall-in-windows-2008-r2-or-windows

"I've set windows firewall on dns port 53 incoming for tcp/udp to allow requests only from my internal network."

 

AND why is your windows firewall even seeing traffic from the internet to dns port 53 in the first place?  Do you have your server in the DMZ or something?  What ports do you have forwarded on your router?

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • TDP of this CPU is 60 watts higher than Ryzen 7600. At s usage rate of four hours per day, at a cost of twelve cents per KWh, the Intel cost $10.51 more per year to use. I don't see a real advantage to Intel here.
    • Lmao. Cries about not playing those games not installed and yet don't ever want to touch them.
    • If I want to merge folder trees that have a similar structure, Beyond Compare is always my first choice. It's not free but it's awesome. If I want to just scan a whole drive/folder and find duplicates that are taking up space, I like Czkawka.
    • Claude Code gets throttled as Anthropic rolls out fresh usage caps by David Uzondu Claude Code, the AI-in-terminal utility developed by Anthropic and launched back in February, is getting updated usage limits following weeks of user complaints about being abruptly cut off. Many developers on the "$200/month Max plan" found their access blocked after just a few requests, with no explanation from the company. In a recent thread posted to X, the AI lab explained that it has seen "unprecedented demand since launch," pointing to some of its heaviest users who were running the tool continuously in the background 24/7, with one person reportedly consuming tens of thousands of dollars in model usage on a single $200 subscription. Anthropic also claimed that some users were violating its usage policy by sharing and reselling accounts, which impacts system capacity for everyone. These factors all led the company to announce new weekly limits that will be added on top of the existing five-hour caps, effective August 28. Max plan subscribers will have the option to buy additional usage at standard API rates if they hit their cap. Here's what the new weekly limits look like: Pro Plan ($20/month): An estimated 40 to 80 hours of usage with the Sonnet 4 model. Max Plan ($100/month): An estimated 140 to 280 hours with Sonnet 4 and 15 to 35 hours with the top-tier Opus 4 model. Max Plan ($200/month): An estimated 240 to 480 hours with Sonnet 4 and 24 to 40 hours with Opus 4. Per TechCrunch, the company provided these hour-based estimates, noting that the actual numbers may vary based on the size of a project's codebase. What's interesting is how this new structure compares to the old marketing. Anthropic previously advertised its $200 Max plan as offering 20 times more usage than the Pro plan. Based on these new hourly estimates, that multiple is now closer to six. It is possible the 20x figure still applies when measured in tokens or raw compute, but, according to TechCrunch, the company has not clarified that point.
    • I don't give a rat's f### what Trumpette, the Putin puppet likes!
  • Recent Achievements

    • First Post
      Gladiattore earned a badge
      First Post
    • Reacting Well
      Gladiattore earned a badge
      Reacting Well
    • Week One Done
      NeoWeen earned a badge
      Week One Done
    • One Month Later
      BA the Curmudgeon earned a badge
      One Month Later
    • First Post
      Doreen768 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      645
    2. 2
      ATLien_0
      260
    3. 3
      Xenon
      165
    4. 4
      neufuse
      142
    5. 5
      +FloatingFatMan
      107
  • Tell a friend

    Love Neowin? Tell a friend!