Open Resolver issue with Exchange 2013

Dear experts,

I have been trying to deal with the issue of DNS recursion on my server but it is really getting more complicated than it seems.

I have a 2012 R2 server with IIS and Exchange 2013 installed, along the way, I have my own DNS records through Windows DNS.

On the past several months, I have been getting warnings from my ISP regarding DNS recursion. As a result, I would disable it through Windows DNS which results in internet blockage inside the server. After a while, I would activate it knowing the issue would come back again and it did.

I tried to find a proper solution that doesn't disable something else in the server. Blocking inbound traffic of port UDP 53 would solve the issue but would refrain remote users from accessing Exchange OWA or ECP.

From what I read, there is no clear solution for this problem, what are your thoughts?

Appreciated in advance,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John ChristopherAnalystCommented:

Try this 

Might help with 2013 as well

check and let us know if it worked, mostly it's an issue with the rules created on port 53
It sounds like your internal DNS server is also an authoritative DNS server for your domain on the public Internet. This is extremely poor practice and I don't even.know if it can be done safely using Microsoft DNS servers. Normal practice is to have a third party host your public DNS services. Domain registrars typically do this for free, or you can go with paid service if you have particular needs. The public DNS would only have the records required by the public such as your web sites, MX records, OWA, autodiscover, etc.
gxsAuthor Commented:
John and Kevin,

Thanks for your help,

Luckily, I disabled DNS recursion this time without affecting local internet!!!

I have read the article you posted John along time ago, it didn't help much but after deep digging, it worked out.

I have edited my hosts file to point to the local IP address of the computer since it is a DNS server. On the other hand, we have been provided with DNS IPs from the host along with our Static IPs as Kevin mentioned.

For the poor practices, what do you do gentle men when your IT boss is a shithead with all do respect. Exchange is installed on a domain controller along with with DNS etc. Their excuse was lack of resources to expand but anyway, I have talked to them yesterday about this issue and its consequences in the future. As a result, they will purchase another server to move exchange solely on it and use the host DNS servers in the future.

I appreciate your time gentlemen. Thank you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gxsAuthor Commented:
Best solution
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.