getting a new DNSReport Error - has to do with Disable Recursion

  • Thread starter Thread starter Dave
  • Start date Start date
D

Dave

Hello,

I have a few servers up at a CO-LO running a windows 2000 domain. I
have 2 Domain Controllers (PDC and SDC) and i'm all of a sudden getting
a red flag error on dnsreport.com for all of my domains that I host on
my name servers. Here's one example:

http://www.dnsreport.com/tools/dnsreport.ch?domain=acrosstheroom.com

http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=961378&trail=15#14

The problem is, if i follow the recommendation and check the Disable
Recursion checkbox, I can no longer see the Internet from my name
servers. I don't even know if this is a problem or why this happened,
but i did it remotely (through Remote Desktop) and i didn't get
disconnected, so i seemed to be connected still. Anyway, what is the
correct way to configure this?

Thanks,
Dave
 
p.s. i've seem some suggestions saying you have to make the allow
recursion only to the internal network. Is this correct? And if so, how
do i do this on a windows 2000 dns server?
 
Dave said:
Hello,

I have a few servers up at a CO-LO running a windows 2000 domain. I
have 2 Domain Controllers (PDC and SDC) and i'm all of a sudden
getting a red flag error on dnsreport.com for all of my domains that
I host on my name servers. Here's one example:

http://www.dnsreport.com/tools/dnsreport.ch?domain=acrosstheroom.com

http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=961378&trail=15#14

The problem is, if i follow the recommendation and check the Disable
Recursion checkbox, I can no longer see the Internet from my name
servers. I don't even know if this is a problem or why this happened,
but i did it remotely (through Remote Desktop) and i didn't get
disconnected, so i seemed to be connected still. Anyway, what is the
correct way to configure this?
Click to expand...

You are going to have to ignore the DNS report or MOVE the public zone to a
non-recursive DNS server. If the Windows DNS is used for DNS resolution for
clients, you cannot disable recursion. MS DNS recurses for all or recurses
for none.

This question has been asked what seems like 50 times in this group since
DNSreport.com added this test.
 
Dave said:
p.s. i've seem some suggestions saying you have to make the allow
recursion only to the internal network. Is this correct? And if so, how
do i do this on a windows 2000 dns server?
Click to expand...

Kevin has told you, and I have told you, this is
not going to work as long as you use the same
Microsoft DNS server for this purpose.

We have also told you it is a bad design to use
the same server for both internal and external
resolution anyway.

And we have mentioned that this is NOT a "giant
issue" in most cases -- odds of someone seriously
abusing your server are fairly low (and you can
block their address if you find this happening.)

We have also mentioned that you can solve this
problem by moving your EXTERNAL resolution back
to the REGISTRAR (so that you will have two DNS
server sets without spending more money.)

Beyond that you must run two DNS servers -- one
configured to operate ONLY on the internal and the
other (non-MS) DNS server on strictly on the
external NIC-address (or at least a NON-MS DNS
which can do what you wish but I would discourage
that even more strongly at this time.)

There just isn't any way to get your MICROSOFT
DNS server to handle recursive requests for YOUR
users, but only handle requests (non-recursive) for
external users TOO.

And again, it would be a poor design even if you could
so doing this is likely a worse security hole than just
leaving the recursive request service enabled.
 
Back
Top