Open DNS Servers

T

Tom Willett

Crossposted...

I just discovered that MS Windows DNS servers are Open DNS Servers, and that
Recursive Lookup should be disabled. However, since MS DNS doesn't have
provisions for Microsoft DNS to allow recursion only to specific IP ranges,
we can't disable it or our mail server will not work, and who knows what
else.

However, it is my understanding that enabling DNS cache pollution protection
will prevent the bad guys from using the DNS server as part of DOS attack,
as long as "forwarding" is not enabled.

Is this correct?

Thanks,

Tom
 
K

Kevin D. Goodknecht Sr. [MVP]

Tom said:
Crossposted...

I just discovered that MS Windows DNS servers are Open DNS Servers,
and that Recursive Lookup should be disabled. However, since MS DNS
doesn't have provisions for Microsoft DNS to allow recursion only to
specific IP ranges, we can't disable it or our mail server will not
work, and who knows what else.
Click to expand...

Other that problems you have when you disable recursion on a DNS server used
as a client DNS resolver, you shouldn't use a DNS server that is used as a
DNS resolver for clients as an Authoritative DNS server for public domains.
One reason is that most clients on a Network are behind NAT and can only use
DNS servers that resolve the local network IPs for services hosted locally.
If you host a public zone on the DNS used as an internal resolver, the local
clients would not be able to access sites in the public zone that are hosted
locally.
I have no problem with you hosting your own public DNS zone, I do this
myself, the problem is that public zones should only be hosted on a server
dedicated to hosting public authoritative zones and must not be used by
local clients as a DNS resolver. Then, you can disable recursion on that
server without any effect on your local clients ability to get full DNS
resolution.
However, it is my understanding that enabling DNS cache pollution
protection will prevent the bad guys from using the DNS server as
part of DOS attack, as long as "forwarding" is not enabled.

Is this correct?
Click to expand...

It is true that using forwarding adds a point of failure by making your
internal DNS rely on another for resolution. If the server you are
forwarding to is compromised, it can pass the compromised record on to
yours. Which is why I don't use a forwarder that is not under my control and
that can be attacked by an external user.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Recursive VS Open DNS 7
DNS name resolution slow - the first time... 1
large amount of DNS errors 6
New to DNS Admin - Root-hints & IMCP packets 2
Forwarding Error.... 2
DNS server configured to forward to non-recursive DNS server 1
DNS Errors in Event Log 3
HELP!!! DNS Weird Error Crashing my servers C000021a {Fatal System 1

Top