WINDOWS DNS RECURSION

How do we disable DNS recursion and still resolve external domain names using Windows 2008 R2?
LVL 1
Lance McGrewRETIREDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Essentially no.

There is a question to ask:

1. Are your DNS Server (aka DCs) used for supporting inbound Internet DNS queries?

If no, then recursion does not expose your DNS Services to any external forces.  

If yes, then you should rethink your DNS infrastructure.

You kinda need recursion in order to resolve external DNS zone records.  Disabling recursion shuts down that functionality.  What can be done is to bring up 2 dedicated DNS servers that are exclusively used to service external DNS queries and have recursion disabled, making them only responsible for the DNS zones that are setup on this pair of servers.  Then, at your firewall, block inbound Internet traffic (port 53/udp and/or 53/tcp) to the internal DNS servers... but leave on recursion since the only things that can query your internal DNS servers are devices on your LAN.

Dan
0
Lance McGrewRETIREDAuthor Commented:
Port 53 reports closed using GRC Shields-Up.  Nothing inside needing incoming DNS service.  Problem is we see outside public IPs in the DNS logs with ill formed packets.
0
Dan McFaddenSystems EngineerCommented:
I would check your firewall (assuming there is one in place) for inbound allowances for NAT'ed IPs or  for inbound port forwarding rules.

Seeing publically routable IPs in your internal DNS logs indicates that inbound Internet traffic can reach your DNS Servers.

Dan
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Lance McGrewRETIREDAuthor Commented:
Only thing i can think of is RDP.  Nothing else open.
0
Dan McFaddenSystems EngineerCommented:
In order to try to resolve the issue, concrete info is needed.  Is your answer from memory or have you checked the firewall for inbound allowances?  Sorry, but "I think" isn't going to help anyone get the error resolved.

- Can you post some of the DNS event log entries?  Please post in the full XML format.

Questions:
1. are you using one of the non-Internet routable IP Ranges on your LAN?
2. are you using NAT anywhere to allow in external traffic?
3. are you hosting your own external DNS servers?

Dan
0
Lance McGrewRETIREDAuthor Commented:
1. Yes 10.1.101.x
2. Yes RDP to one server and one workstation plus HTTP to a Linux box.
3. No, all DNS for LAN only

We just installed a new Smoothwall last Friday.  I will double-check the port 53 inbound however I trust the GRC Shields-up scan reporting port 53 is closed.  Not stealth, but at least closed.

Dan, can I send you a copy of the logs through PM?
0
Dan McFaddenSystems EngineerCommented:
Sure, you can PM them.

Dan
0
Dan McFaddenSystems EngineerCommented:
Lance, can you post the IP config of this server?

Dan
0
Dan McFaddenSystems EngineerCommented:
I believe you are referring to the 5504 events?  If so, can you tell me if you have the following DNS Server settings turned on/off or if they're configured?

In DNS Manager:
1.  Advanced tab
  1a. Enable round robin?
  1b. Enable netmask ordering?
  1c. Secure Cache against Pollution?
2.  Forwarders tab -> any IPs added?
3.  Forwarders tab -> Use root hints if no forwarders are available?
4. Root Hints tab -> any IPs listed?

Dan
0
Lance McGrewRETIREDAuthor Commented:
1. Advanced tab, all 3 you ask are enabled
2. Forwarders tab google's 8.8.8.8 and 8.8.4.4
3. Root hints enabled
4.  Root hints:  e.root-servers.net, f, g, h, i, j, k, l, m from the original default list.
0
Lance McGrewRETIREDAuthor Commented:
0
Dan McFaddenSystems EngineerCommented:
Unless you are running with a Windows Server 2016 TP instance, in Production, this will not help you with Server 2008.

I am going to go back to 1 of my original statements... if you are seeing (and you are) external IPs hitting a DNS server on your private LAN, then something is setup to allow/forward traffic to this server.

I see the several external IPs in the event log messages:
1) 149.210.240.133
2) 212.72.132.26
3) 192.95.55.214
4) 5.254.104.13
5) 5.254.102.236
6) 162.252.10.29
7) 2.222.168.49
8) 5.254.104.13
9) 198.100.153.14
10) 31.220.13.190
11) 180.157.191.199
12) 10.1.101.20 *** this is you!
13) 8.8.8.8 *** this is 1 of your configured forwarders
14) 108.53.237.209
15) 123.126.122.242
16) 195.254.199.130
... etc.

This is enough evidence for me to say that somewhere on your network, something is allowing in traffic to you DNS server.  Also, the bad DNS query is related to the domain "q1w.in" which is associated with current DNS Reflection attacks.

You need to verify the configuration of the device(s) that protect your network.  I am inclined to not trust your Shields Up test results.  Your DNS event logs is enough for me to believe your have either a configuration hole somewhere or you have a larger problem on your network.

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lance McGrewRETIREDAuthor Commented:
We disabled the public IP NAT'd to port 3389 on the DNS server due to other issues we found in the security logs.  All those stopped so I am counting on the rogue DNS log entries will probably also stop.   Will continue to monitor for next few days but nothing additional has been logged for the last few hours.
0
Dan McFaddenSystems EngineerCommented:
Hopefully everything looks better from here on.

Dan
0
Lance McGrewRETIREDAuthor Commented:
Dan, thank you for sticking with us on this one.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.