Announcement

Collapse
No announcement yet.

Windows 2000 DNS "Disable recursion"

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 2000 DNS "Disable recursion"

    HI All,

    Can some body please help me?

    A security company did a external (from the outside) leek test on our network.
    And there were some medium issues found.

    One of the issues is "useable remote name server".
    This means that the remote name server (our DNS server) allows recursive queries to be performed by any host on our DNS server. As I understand this can be used for spamming. (See: http://www.securityfocus.com/archive...30/0/threaded). I found this document on the internet.

    The solution is simple. Disable recursion on the DNS server.

    But when I read this section of the document:

    _Fixing the problem with Microsoft DNS_
    Unfortunately, Microsoft DNS is not quite as configurable as Bind when
    it comes to tweaking recursion. Your options are to either enable or
    disable recursion; you cannot make exceptions for certain subnets like
    we could with Bind using the allow-recursion parameter.

    This can cause problems if there is a local SMTP, HTTP, etc. server that
    relies on the Microsoft DNS server to perform recursive queries.
    Disabling recursion will break this required functionality. If you are
    in this situation, you may need to do one or more of the following
    additional steps along with disabling recursion on your exposed
    Microsoft DNS server:


    It could case problems with SMTP and HTTP requests when they use recursive queries.

    But does this also apply when you have forwarders (to our ISP) configured on your DNS server?


    I hope that my description of my problem is clear.

    Thanks..

  • #2
    Re: Windows 2000 DNS "Disable recursion"

    Hi rscheerhout.

    Is it serving an AD domain? Does it need to be visible externally? Is it your only DNS server?

    If it's an AD DNS server you should have it behind a firewall and it shouldn't be accessible externally. If you have resources that are available to the public then you should use another DNS server and disable recursion it or have a SP be the NS for the resources and DON'T PUT YOUR INTERNAL DNS INFO ON IT.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Windows 2000 DNS "Disable recursion"

      Originally posted by rscheerhout
      But does this also apply when you have forwarders (to our ISP) configured on your DNS server?
      Recursion applies specifically to forwarding. Client resolvers issue recursive queries by default. DNS servers configured to forward requests to other DNS servers are also sending recursive (as opposed to iterative) lookup requests. Recursive lookups are burdensome to the DNS server receiving the request. It is considered "rude" to forward recursive lookups from your own DNS server to a DNS server that does not belong to you.
      VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
      boche.net - VMware Virtualization Evangelist
      My advice has no warranties. Follow at your own risk.

      Comment


      • #4
        Re: Windows 2000 DNS "Disable recursion"

        Hi JeremyW and jasonboche,

        The DNS server is a external DNS server (so it needs to be visible externally). We host our own domain names. And we have a secondary DNS server at our ISP.
        The AD DNS is configured behind our firewall so that is safe.

        This is our situation: (see attachment)


        The internal DNS server forwards the requests to our external DNS --> And the external DNS forwards the requests to the IPS if it's not found on our own domain.

        Problem:
        So the problem is that recursion is available on the external DNS.
        And this is a security risk. But what happens when I disable the recursion in the external DNS? Do i get problems with lookup?
        Attached Files

        Comment


        • #5
          Re: Windows 2000 DNS "Disable recursion"

          How 'bout some conditional forwarding on your internal DNS server for the namespace hosted by your external DNS and forward everything else to the ISP's DNS server? You can then disable recursion on your external DNS server.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Windows 2000 DNS "Disable recursion"

            Originally posted by JeremyW
            How 'bout some conditional forwarding on your internal DNS server for the namespace hosted by your external DNS and forward everything else to the ISP's DNS server? You can then disable recursion on your external DNS server.

            Unfortunately Conditional forwarding is only "new" in Server 2003.

            You can easily disble recursion on your external DNS server. The problem being you won't be able to use forwarders.

            To disbale it follow these steps

            1. Open DNS.
            2. In the console tree, right-click the applicable DNS server, then click Properties.
            3. Click the Advanced tab.
            4. In Server options, select the Disable recursion check box, and then click OK.
            Attached Files

            Comment


            • #7
              Re: Windows 2000 DNS "Disable recursion"

              Originally posted by wullieb1
              Unfortunately Conditional forwarding is only "new" in Server 2003.
              Nuts. I'm not very strong with 2000 Server.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: Windows 2000 DNS "Disable recursion"

                Originally posted by JeremyW
                Nuts. I'm not very strong with 2000 Server.

                And thats why everyday is a school day .

                Comment

                Working...
                X