Cookbook/recipe steps to make a Win2008R2 DNS/domain controller DDoS/DRDoS attack-proof?

Hi All,

What are the steps to prevent outside IP addresses (i.e., all but the IPs on my network) from DRDoS/DDoS attacking a Windows Server 2008 R2 server (domain controller, and DNS server)? Only domain clients need to contact the server for DNS requests. Steps I've taken, but apparently do nothing to prevent DRDoS and/or DDoS attacks (or at least, still show some vulnerability):

1. Prevent all but internal IP ranges from contacting the server ("incoming") via UDP & TCP on port 53 in Windows Firewall;
2. Disabling recursion (and forwarding) in the DNS Administrator properties dialog box for the server listed.

Any "go here, click this, select that" type of help would be appreciated; please do not recommend one of many theoretical or generalized sources that abound on the Web; these really haven't helped much. Thanks!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
if you disable recursion and forwarding then you will not be able to access any site that is not in your domain name system. Windows Firewall is easy enough to just allow the local network for input.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
DNSInspect ( assess an individual resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other possible configuration and security issues. Always good to make sure your server is not exposed with hole to be exploited.

Others (ideally) is to reduce effect but there is no silver bullet to DoS (same as other form of TCP, NTP, SSDP attack type)
- Split your Authoritative server (accept queries) from your Forwarder server (need not accept) if in the same box
- For AS, disable recursion, and for FS enforce only allow recursive queries coming from your internal address space
- Windows DNS server (unlike BIND) does not support the restrict DNS queries using ACL or sort. So disable it recursion as AS and if possible and using BIND as FS, configure the ACL as mentioned prev
- Block incoming access to the caching-only server from outside the organization’s network. As first it can poison cache an cache hit can be bringing the server to self-DoS due to CPU/mem incurred if it is of high surge queries.

You may consider such restriction for you AS AXFR if your AS is acting Master to other AS Slave, the transfer and serial no sync interval can be impactful if not restriction is enforced.  

In fact, external DNS protection should really consider services per se as no matter what DNS config or FW config and hardening, the high surge and cache hit from botnet pool can and will still DoS your ext servers as their targets. Services for consideration include OpenDNS, Cloudflare or eqv.
dylyluvAuthor Commented:
I was able to figure this out on my own, but the above comment was helpful. My solution was to remove the manually-configured, rule specifications in Windows Firewall (by specifying rules for port 53 for UDP & TCP, with local IP ranges allowed, but everything else disallowed), and instead use the already-prepared, "Predefined" - - > "DNS Services" through the "New Rule" wizard interface's drop-down list, and then adding in my local subnets and masks in the allowed scope. Not sure why the manual route didn't work, but the above method worked in the end.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.