Open DNS Servers

Crossposted...

I just discovered that MS Windows DNS servers are Open DNS Servers, and that
Recursive Lookup should be disabled. However, since MS DNS doesn't have
provisions for Microsoft DNS to allow recursion only to specific IP ranges,
we can't disable it or our mail server will not work, and who knows what
else.

However, it is my understanding that enabling DNS cache pollution protection
will prevent the bad guys from using the DNS server as part of DOS attack,
as long as "forwarding" is not enabled.

Is this correct?

Thanks,

Tom

Tom Willett wrote:
> Crossposted...
>
> I just discovered that MS Windows DNS servers are Open DNS Servers,
> and that Recursive Lookup should be disabled. However, since MS DNS
> doesn't have provisions for Microsoft DNS to allow recursion only to
> specific IP ranges, we can't disable it or our mail server will not
> work, and who knows what else.

Other that problems you have when you disable recursion on a DNS server used
as a client DNS resolver, you shouldn't use a DNS server that is used as a
DNS resolver for clients as an Authoritative DNS server for public domains.
One reason is that most clients on a Network are behind NAT and can only use
DNS servers that resolve the local network IPs for services hosted locally.
If you host a public zone on the DNS used as an internal resolver, the local
clients would not be able to access sites in the public zone that are hosted
locally.
I have no problem with you hosting your own public DNS zone, I do this
myself, the problem is that public zones should only be hosted on a server
dedicated to hosting public authoritative zones and must not be used by
local clients as a DNS resolver. Then, you can disable recursion on that
server without any effect on your local clients ability to get full DNS
resolution.

> However, it is my understanding that enabling DNS cache pollution
> protection will prevent the bad guys from using the DNS server as
> part of DOS attack, as long as "forwarding" is not enabled.
>
> Is this correct?

It is true that using forwarding adds a point of failure by making your
internal DNS rely on another for resolution. If the server you are
forwarding to is compromised, it can pass the compromised record on to
yours. Which is why I don't use a forwarder that is not under my control and
that can be attacked by an external user.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================