How to setup authoritative DNS server in AD and prevent abuse?

I currently have 2 AD/DNS servers that are also authoritative and as such need to be open to the internet. This, however exposes them to abuse and they are being misused.

What is the best way to put a stop to this?

I can't disable forarding as that would put a stop to internet use within the network.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You *rarely* want your AD servers handling internet queries. Then most common  way to handle this is to put DNS servers in a DMZ and set them up with secondary zones for the namespace that you need to be authoritative for. Those servers can have forwarding disabled so they won't be open DNS servers and will only handle queries doe the zones they have access to. This prevents abuse and adds a secure layer to your internal servers.
JurajUQUAuthor Commented:
Can you explain how to do it or point me to an article or similar?
Cliff GaliherCommented:
Nope. Too may factors involved for an easy walkthrough. I don't know your network topology, or why you've decided your internal servers mees to be authoritative (that alone is very unusual) or why you aren't just throwing your external DNS needs to a DNS hosted for dollars a month. I can only assume you have valid  reasons. But it still would directly impact the details of the implementation.

In short, if you have the prerequisite knowledge, what I already said would be enough to answer the question and get you going down the right path and build an architecture. And if you don't, a walkthrough/tutorial isn't sufficient and a paid consultant should be brought in.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

JurajUQUAuthor Commented:
I know I can create secondary zone on the server, that shouldn't be a problem but that would mean I'd need to create it on another physical server.

So I have 2 DNS servers available to the outside world and with enabled forwarding. What I so far understand is that I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion. Those two will replace the 2 current ones which in turn be pulled inside DMZ and only accept DNS queries for the internal network. Do I undesrtand that correctly?

Btw why is it unusuall and better to use an external provider? I already have one so could migrate there easily...
Cliff GaliherCommented:
No, you'd not replace your internal servers, these would be ADDITIONAL servers.

And it is weird because AD zones are often not the same as public zones. You'd usually have your AD zone be something like company.local, or alternatively a subdomain of a public domain like And since due domain names are unique, there is no reason for external authoritative control, and the external domain name can love on a hosted provider. No server to maintain or patch, better uptime AMD redundancy. And a better security footprint for your DCs.
JurajUQUAuthor Commented:
I believe I did say they'd be additional ones.

Ok, so it's for practical and security reasons. Fair enough.

Natty GregIn Theory (IT)Commented:
you got it right up to "I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion."

then you're wrond about what goes in dmz : your current servers can stay accessible from the local LAN but should not be accessible from the WAN any more, and the new servers are the ones to be put in DMZ with the ability to access your DC using dns and DNS only and be accessed from the outside using DNS only as well.

using a secondary zone is not your only choice. a forward zone is easier to setup, works fine as well and does not require to allow replication mechanisms between your new servers and the existing ones so you only need to open udp port 53 which is MUCH better security wise. in that case, your new servers are actually reverse proxies.

it is also considered best practice to use different software for reverse proxies and servers and i consider dangerous to open an ms machine to the wan, whatever the service, so you may consider using a very simple dns forwarder such as dnsmasq (configure it using a single line) rather than another paid 2008 server

moving to an external provider is a matter of choice. it is more convenirent in such cases, but helps them kidnap your network when you want to move away from them. my recommendation is don't ever use the same provider for your dns and for your domain : the person that handles the record saying which servers are authoritary must no be the one that does the hosting. if you switch to an external service, you can set them as secondary servers and keep your management on your existing servers

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.