[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Recursive DNS on Domain controller that has port 53 exposed externally

Posted on 2012-08-22
Medium Priority
Last Modified: 2012-10-05

At my department within the University, I have two 2008R2 domain controllers.  Originally they were not exposed to the world; however in the past few months, port 53 was opened so that our external teams could access certain internal machines.  

The university did a network scan and said that my DC was a recursive DNS server, which could possibly lead to denial of service attacks.  

I looked yesterday and an article said to set "secure only" on all of my forward and reverse lookup zones as well as disable recursive DNS.  I click on the disable recursive DNS and things stopped working.  I unchecked it and things, of course, started working.  Since I do not use any forwarders, I rely on root hints.  Disabling recursive DNS disables that as well.

What exactly can/should I do to ensure I have the correct securing on this server so that my DNS does not get owned.

Question by:lbtoadmin
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 38321699
You are sort of stuck in your situation because you don't have forwarders and are relying on root hints.  

You could forward "all other domains" to something like the Google DNS servers  

You could then check the "do not user recursion for this domain"...note in 2008 DNS the wording good screenshots here


By the say if anyone wants to know more about issues from a security standpoint see




Author Closing Comment

ID: 38467701
We've decided to close the port because our VPN will be the solution for this.  Much more secure.  The solution Mike provided did answer my question and provided me with good security insight.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question