Recursive DNS on Domain controller that has port 53 exposed externally

Posted on 2012-08-22
Last Modified: 2012-10-05

At my department within the University, I have two 2008R2 domain controllers.  Originally they were not exposed to the world; however in the past few months, port 53 was opened so that our external teams could access certain internal machines.  

The university did a network scan and said that my DC was a recursive DNS server, which could possibly lead to denial of service attacks.  

I looked yesterday and an article said to set "secure only" on all of my forward and reverse lookup zones as well as disable recursive DNS.  I click on the disable recursive DNS and things stopped working.  I unchecked it and things, of course, started working.  Since I do not use any forwarders, I rely on root hints.  Disabling recursive DNS disables that as well.

What exactly can/should I do to ensure I have the correct securing on this server so that my DNS does not get owned.

Question by:lbtoadmin
    LVL 57

    Accepted Solution

    You are sort of stuck in your situation because you don't have forwarders and are relying on root hints.  

    You could forward "all other domains" to something like the Google DNS servers

    You could then check the "do not user recursion for this domain"...note in 2008 DNS the wording good screenshots here

    By the say if anyone wants to know more about issues from a security standpoint see



    Author Closing Comment

    We've decided to close the port because our VPN will be the solution for this.  Much more secure.  The solution Mike provided did answer my question and provided me with good security insight.

    Featured Post

    Do email signature updates give you a headache?

    Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

    Join & Write a Comment

    Suggested Solutions

    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now