<div>
We've decided to close the port because our VPN will be the solution for this. &nbsp;Much more secure. &nbsp;The solution Mike provided did answer my question and provided me with good security insight.
</div>


We've decided to close the port because our VPN will be the solution for this.  Much more secure.  The solution Mike provided did answer my question and provided me with good security insight.

<div>
<div class="content wysiwyg-content">
Hello,<br />
<br />
At my department within the University, I have two 2008R2 domain controllers. &nbsp;Originally they were not exposed to the world; however in the past few months, port 53 was opened so that our external teams could access certain internal machines. &nbsp;<br />
<br />
The university did a network scan and said that my DC was a recursive DNS server, which could possibly lead to denial of service attacks. &nbsp;<br />
<br />
I looked yesterday and an article said to set &quot;secure only&quot; on all of my forward and reverse lookup zones as well as disable recursive DNS. &nbsp;I click on the disable recursive DNS and things stopped working. &nbsp;I unchecked it and things, of course, started working. &nbsp;Since I do not use any forwarders, I rely on root hints. &nbsp;Disabling recursive DNS disables that as well.<br />
<br />
What exactly can/should I do to ensure I have the correct securing on this server so that my DNS does not get owned.<br />
<br />
Thanks,
</div>
</div>


Hello,

At my department within the University, I have two 2008R2 domain controllers.  Originally they were not exposed to the world; however in the past few months, port 53 was opened so that our external teams could access certain internal machines.  

The university did a network scan and said that my DC was a recursive DNS server, which could possibly lead to denial of service attacks.  

I looked yesterday and an article said to set "secure only" on all of my forward and reverse lookup zones as well as disable recursive DNS.  I click on the disable recursive DNS and things stopped working.  I unchecked it and things, of course, started working.  Since I do not use any forwarders, I rely on root hints.  Disabling recursive DNS disables that as well.

What exactly can/should I do to ensure I have the correct securing on this server so that my DNS does not get owned.

Thanks,

Recursive DNS on Domain controller that has port 53 exposed externally

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.