lbtoadmin
asked on
Recursive DNS on Domain controller that has port 53 exposed externally
Hello,
At my department within the University, I have two 2008R2 domain controllers. Originally they were not exposed to the world; however in the past few months, port 53 was opened so that our external teams could access certain internal machines.
The university did a network scan and said that my DC was a recursive DNS server, which could possibly lead to denial of service attacks.
I looked yesterday and an article said to set "secure only" on all of my forward and reverse lookup zones as well as disable recursive DNS. I click on the disable recursive DNS and things stopped working. I unchecked it and things, of course, started working. Since I do not use any forwarders, I rely on root hints. Disabling recursive DNS disables that as well.
What exactly can/should I do to ensure I have the correct securing on this server so that my DNS does not get owned.
Thanks,
At my department within the University, I have two 2008R2 domain controllers. Originally they were not exposed to the world; however in the past few months, port 53 was opened so that our external teams could access certain internal machines.
The university did a network scan and said that my DC was a recursive DNS server, which could possibly lead to denial of service attacks.
I looked yesterday and an article said to set "secure only" on all of my forward and reverse lookup zones as well as disable recursive DNS. I click on the disable recursive DNS and things stopped working. I unchecked it and things, of course, started working. Since I do not use any forwarders, I rely on root hints. Disabling recursive DNS disables that as well.
What exactly can/should I do to ensure I have the correct securing on this server so that my DNS does not get owned.
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER