Recursive DNS on Domain controller that has port 53 exposed externally


At my department within the University, I have two 2008R2 domain controllers.  Originally they were not exposed to the world; however in the past few months, port 53 was opened so that our external teams could access certain internal machines.  

The university did a network scan and said that my DC was a recursive DNS server, which could possibly lead to denial of service attacks.  

I looked yesterday and an article said to set "secure only" on all of my forward and reverse lookup zones as well as disable recursive DNS.  I click on the disable recursive DNS and things stopped working.  I unchecked it and things, of course, started working.  Since I do not use any forwarders, I rely on root hints.  Disabling recursive DNS disables that as well.

What exactly can/should I do to ensure I have the correct securing on this server so that my DNS does not get owned.

Who is Participating?
Mike KlineCommented:
You are sort of stuck in your situation because you don't have forwarders and are relying on root hints.  

You could forward "all other domains" to something like the Google DNS servers

You could then check the "do not user recursion for this domain"...note in 2008 DNS the wording good screenshots here

By the say if anyone wants to know more about issues from a security standpoint see


lbtoadminAuthor Commented:
We've decided to close the port because our VPN will be the solution for this.  Much more secure.  The solution Mike provided did answer my question and provided me with good security insight.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.