Disabling recursive DNS

IRJ

One of the things we are getting flagged for is a possible DDos attack using our DNS Servers because they have recursive DNS enabled. What do you guys recommend here? We have 3 DNS Severs which are also DCs.

travisdh1

@IRJ said in Disabling recursive DNS:

One of the things we are getting flagged for is a possible DDos attack using our DNS Servers because they have recursive DNS enabled. What do you guys recommend here? We have 3 DNS Severs which are also DCs.

Don't you have to do that in order to get AD to work properly? (I haven't worked with AD since Windows 2000, so just a little out of date with it.)

TAHIN

This isn't a general best practice to be used in every case. You're only susceptible to DDos attacks for domains that you're publicly authoritative for. You can use this site to determine if you have open resolvers for your domain: http://openresolver.com/.

It is true that AD requires recursive queries to work. Here's MS's note on securing DNS: Disable recursion on DNS servers that do not respond to DNS clients directly and that are not configured with forwarders. A DNS server requires recursion only if it responds to recursive queries from DNS clients or if it is configured with a forwarder. DNS servers use iterative queries to communicate with each other.

If you do have (and require) your internal DNS to be a public resolver, a solution I've seen is to:

1. Disable recursion on the servers that are publicly available. The DNS servers will start using root hints instead of forwarders.
2. Create a new DNS server (not publicly available). Enable recursion and set the 'outside domain' forwarders to an outside resolver (ie- ISP DNS). Set the 'inside domain' forwarders to your original DNS servers.
3. Move all AD-connected resources to point to this new server.

IRJ

@TAHIN said in Disabling recursive DNS:

This isn't a general best practice to be used in every case. You're only susceptible to DDos attacks for domains that you're publicly authoritative for. You can use this site to determine if you have open resolvers for your domain: http://openresolver.com/.

It is true that AD requires recursive queries to work. Here's MS's note on securing DNS: Disable recursion on DNS servers that do not respond to DNS clients directly and that are not configured with forwarders. A DNS server requires recursion only if it responds to recursive queries from DNS clients or if it is configured with a forwarder. DNS servers use iterative queries to communicate with each other.

If you do have (and require) your internal DNS to be a public resolver, a solution I've seen is to:

1. Disable recursion on the servers that are publicly available. The DNS servers will start using root hints instead of forwarders.
2. Create a new DNS server (not publicly available). Enable recursion and set the 'outside domain' forwarders to an outside resolver (ie- ISP DNS). Set the 'inside domain' forwarders to your original DNS servers.
3. Move all AD-connected resources to point to this new server.

So right now we have 3 Internal DCs that have DNS. They are not public servers. What exactly should I do in this case?

TAHIN

If you want to avoid a separate server, I think BIND lets you configure what domains to respond to recursively versus iteratively? Not sure though.

IRJ

@TAHIN said in Disabling recursive DNS:

This isn't a general best practice to be used in every case. You're only susceptible to DDos attacks for domains that you're publicly authoritative for. You can use this site to determine if you have open resolvers for your domain: http://openresolver.com/.

What domain should I be testing here? My internal Active directory domain?

TAHIN

@IRJ

So right now we have 3 Internal DCs that have DNS. They are not public servers. What exactly should I do in this case?

I think you're safe

IRJ

@TAHIN said in Disabling recursive DNS:

@IRJ

So right now we have 3 Internal DCs that have DNS. They are not public servers. What exactly should I do in this case?

I think you're safe

I think so too. I am just trying to go through and fix this audit issues. My boss is creating tickets like crazy keeping us busy fixing these little nitpicking issues.

IRJ

This was my response on the ticket:

Since all 3 of our DNS servers are internal and not publicly available this isn't a realistic threat. Recursive DNS is required for Active Directory to work properly.

If we use the recursive dns tester here, we can see that the domains our domain.com and domain.net are safe from external attack.

http://openresolver.com/

The other thing we could do is build another DNS server ( we would need two for redundancy) and setup external fowarding on that server and turn off recursive DNS on the DCs. However, this is alot of work for an unrealistic risk. In reality, if the hacker is on our network DDoS attacks would be the last thing he would attempt to do. Generally DDoS attacks are only done from the outside.

TAHIN

DDoS depends on public addresses acting as a clients pounding your DNS server with thousands of recursive queries at once. If your DNS server isn't public, then it isn't a open resolver, and a client on the internet can't query it directly.

In our case, we have a local DNS server, available to the internet, as a backup to our ISP-hosted DNS. This server is typically vulnerable. But it's set with a higher cost so it won't be used unless ISP goes down.