Windows DNS Server Open Recursive

Networking/Security Forums -> Networking

Author: cjoyce1980 PostPosted: Fri Nov 12, 2010 2:06 pm    Post subject: Windows DNS Server Open Recursive
I've recently had a request to look into our Windows 2003 DNS Servers as they are Open and Recursive.

The Open I'm not worried about as we host are own website and users need to be able to access this, It's the Recursive part that I'm worried about.

Any anonymous user can use are DNS Server to perform a look up, and I'm aware there is a tick box in the DNS console that will disable recursion, but it disables forwarders so I can't do this.

Is there any other way within Windows 2003 to disable recursive look ups without disabling forwarders?

Many thanks for any help in advanced

Author: CoreDefendLocation: USA PostPosted: Mon Nov 15, 2010 3:50 am    Post subject:
There are two options:

Do not use recursion for this domain.

Then on the Advanced Tab:

Disable recursion (also disables forwarders).

If the first option is enabled; queries not found locally will be sent to your forwarders (just like normal). If they are not found there; the query will stop and not proceed further.

Author: cjoyce1980 PostPosted: Mon Nov 15, 2010 12:28 pm    Post subject:
Thanks for your reply, but for the "All other DNS domains" option, "Do not use recursion for this domain" cannot be enabled and this is obviously allowing my DNS server to serve DNS requests.

Like I said in my previous post I cannot select the "Disable recursion (also disables forwarders)" because this would disable forwards for me, as I need my DNS servers when we send a request to domain ""

Is there anyway to enabled the "Do not use recursion for this domain" for All other DNS domains" options as it will not stay on once selected

Author: georgec PostPosted: Mon Nov 15, 2010 1:02 pm    Post subject: Windows DNS Server Open Recursive
I am not sure that I have understood your concern 100% but remember that with Forwarders you are increasing security while using conditional forwarding may help you achieve what you want. The article - Securing DNS for Windows (Part 2) may help.

Networking/Security Forums -> Networking

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group