Recursive DNS on Domain controller that has port 53 exposed externally
Posted on 2012-08-22
At my department within the University, I have two 2008R2 domain controllers. Originally they were not exposed to the world; however in the past few months, port 53 was opened so that our external teams could access certain internal machines.
The university did a network scan and said that my DC was a recursive DNS server, which could possibly lead to denial of service attacks.
I looked yesterday and an article said to set "secure only" on all of my forward and reverse lookup zones as well as disable recursive DNS. I click on the disable recursive DNS and things stopped working. I unchecked it and things, of course, started working. Since I do not use any forwarders, I rely on root hints. Disabling recursive DNS disables that as well.
What exactly can/should I do to ensure I have the correct securing on this server so that my DNS does not get owned.