Open DNS Servers

  • Thread starter Thread starter Tom Willett
  • Start date Start date
T

Tom Willett

Crossposted...

I just discovered that MS Windows DNS servers are Open DNS Servers, and that
Recursive Lookup should be disabled. However, since MS DNS doesn't have
provisions for Microsoft DNS to allow recursion only to specific IP ranges,
we can't disable it or our mail server will not work, and who knows what
else.

However, it is my understanding that enabling DNS cache pollution protection
will prevent the bad guys from using the DNS server as part of DOS attack,
as long as "forwarding" is not enabled.

Is this correct?

Thanks,

Tom
 
Tom said:
Crossposted...

I just discovered that MS Windows DNS servers are Open DNS Servers,
and that Recursive Lookup should be disabled. However, since MS DNS
doesn't have provisions for Microsoft DNS to allow recursion only to
specific IP ranges, we can't disable it or our mail server will not
work, and who knows what else.
Click to expand...

Other that problems you have when you disable recursion on a DNS server used
as a client DNS resolver, you shouldn't use a DNS server that is used as a
DNS resolver for clients as an Authoritative DNS server for public domains.
One reason is that most clients on a Network are behind NAT and can only use
DNS servers that resolve the local network IPs for services hosted locally.
If you host a public zone on the DNS used as an internal resolver, the local
clients would not be able to access sites in the public zone that are hosted
locally.
I have no problem with you hosting your own public DNS zone, I do this
myself, the problem is that public zones should only be hosted on a server
dedicated to hosting public authoritative zones and must not be used by
local clients as a DNS resolver. Then, you can disable recursion on that
server without any effect on your local clients ability to get full DNS
resolution.
However, it is my understanding that enabling DNS cache pollution
protection will prevent the bad guys from using the DNS server as
part of DOS attack, as long as "forwarding" is not enabled.

Is this correct?
Click to expand...

It is true that using forwarding adds a point of failure by making your
internal DNS rely on another for resolution. If the server you are
forwarding to is compromised, it can pass the compromised record on to
yours. Which is why I don't use a forwarder that is not under my control and
that can be attacked by an external user.
 
Back
Top