DNS recursion is insecure, but necessary for internal applications?

Question

In management of a Windows Server 2008, the server hosts DNS (is nameserver) for some domains, as well as hosting some applications that are publicly accessible.

A security scan has indicated that the DNS configuration is insecure, because it allows recursive queries.

Disabling recursive queries was tried, but several problems occurred (emails sent from local apps were not delivered, and an app running locally that connects to a third-party site could not resolve the domain name for the connection, etc.). So it appears that DNS requests that are originating on the server itself rely on recursive queries to function.

Is there a way to disable recursive queries by the DNS hosted on the server while still allowing for DNS queries originating on the server to work? I'm wondering if we can disable recursive queries on the local DNS server and set the outgoing DNS in network settings to something external (like 8.8.8.8), so that outgoing DNS queries would go there first, and this server's DNS would only end up getting queried for the domains that it actually hosts locally.

Thanks for your time!

Answer 1

Is there a way to disable recursive queries by the DNS hosted on the server while still allowing for DNS queries originating on the server to work?

Not with Microsoft's DNS server, there isn't.

With ISC's DNS server, BIND, one could bodge things with views. Microsoft's DNS server has no such mechanism. So for any given instance of Microsoft DNS server, one has to choose whether it is a public content DNS server or a site-local proxy DNS server. It cannot bodge things and pretend to be different kinds of server to different DNS clients.

The security testing service/tool is quite right. It is best practice to not provide proxy service — any kind of proxy service: be it HTTP proxy service, DNS proxy service, or SMTP Submission service — to the rest of Internet outwith one's own site. You very much should have separate servers: a content DNS server publishing your public DNS data, about your domain names that you have registered, to everyone on Internet; and a local proxy DNS server, that does the grunt work of query resolution on behalf of your LAN's/organization's computers, that is only accessible to machines at your organization/on your LAN. With Microsoft's DNS server, this isn't particularly easy.

It would be especially difficult if your machine were also a domain controller. You state that this machine is directly reachable from the whole of Internet. If such a machine is a domain controller, then you should re-think your network organization now. You'd be exposing an awful lot of internal services to the public, not just proxy DNS service. So let's work on the presumption that this isn't a domain controller.

Since it isn't a domain controller, and is merely a member server, you don't have the requirement that the DNS client on the machine should use the machine's own DNS server (or, initially, another domain controller's DNS server) for proxy DNS service, that is the case for domain controllers. If you had, you wouldn't be able to turn off proxy DNS service on the machine's DNS server. Fortunately, it isn't a domain controller, and its DNS client can use some other machine for proxy DNS service, not itself.

The DNS client on the member server machine still has to use an internal proxy DNS server, though. You cannot just point it at some external DNS server like those provided by your ISP, Google, or any other party that doesn't know all of the DNS data that Active Directory is using on your LAN. You can point the machine's DNS client at the DNS server on one or more of your domain controllers, though. This is fairly simple, and is what you are — after all — already doing on all of your workstations on your LAN. The DNS client on your member server need merely be configured like the DNS clients on all of your workstations are.

Given that your machine's DNS client isn't using the DNS server running on the machine for proxy DNS service, you then simply configure Microsoft's DNS server to not provide proxy DNS service of any form to anyone.

Further reading

• Jonathan de Boyne Pollard (2000,2004,2007). "Content" and "proxy" DNS servers. Frequently Given Answers.
• Jonathan de Boyne Pollard (2000,2004,2007). The IP addresses on which proxy servers should be configured to listen. Frequently Given Answers.
• Jonathan de Boyne Pollard (2003,2010). Whence one obtains proxy DNS service. Frequently Given Answers.
• Jonathan de Boyne Pollard (2003). Providing content DNS service with an all-the-hats-at-once DNS server software.. Frequently Given Answers.
• Jonathan de Boyne Pollard (2003). Your fallback proxy DNS servers must provide the same view of the DNS namespace as your principal one.. Frequently Given Answers.
• Microsoft corporation (2007-01-31). Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003. ID 825036.
• Nirmal Sharma (2007-09-23). SRV Records Of Domain Controller In DNS Domain Zone. ID 556006. Microsoft Support.

Answer 2

It's a good idea not to provide recursive lookup functionality to the entire Internet, so configuring your DNS server to only answer queries it's authoritative for is a Good Thing^TM.

On the surface it sounds like the conclusion you've reached in your last paragraph is a good one: Configure the server's own TCP/IP settings to use a DNS server that is authorized to provide recursive lookups. The DNS Server process doesn't use the DNS servers configured in the TCP/IP settings on the server computer's NIC for anything in particular. Rather, it forwards requests (or uses root hints) based on the DNS Server configuration.

When the applications running on the server attempt to query for domains the DNS Server running on that machine is authoritative for the request, ultimately, will make it to the DNS Server process running on that machine and the query would be answered.

Answer 3

As Evan stated in his answer, your applications need to use the DNS client component on the server, which is wholly independent from the DNS server component. The DNS server component can be configured to not perform recursion, allowing it to answer queries submitted to it only for the DNS zones that it's authoritative for.

The applications can use the DNS servers configured in the TCP/IP properties of the relevant NIC, which can be configured to use any DNS servers that will perform recursion (such as Google's DNS servers). The DNS servers configured in TCP/IP properties of the relevant NIC don't need to point to the DNS server running on that same server.

Answer 4

I just recently had the same issue and our DNS server was being used for amplification attacks. But I need to keep recursion on for our other internal servers.

If you have a Cisco router, here is a possible fix. I moved our external DNS to a Cisco 7200VXR router and configured it to reply only to specific DNS zones. It will query the internal DNS servers so you don't have to enter everything in two places.

Here is a snippet of the Cisco config that I used:

ip dns view default
 dns forwarder 192.168.0.xx (internal DNS server)
 domain round-robin

ip dns view-list default
 view default 1
  restrict name-group 1

ip dns name-list 1 permit abc.com
ip dns name-list 1 permit def.com
ip dns name-list 1 permit anyotherdomainthatyouhost.com
ip dns name-list 1 permit 3.2.1.in-addr.arpa (needed for reverse PTR lookups)

interface fastethernet0/0 (the interface where the IP address is that will host DNS)
 ip dns view-group default
 ip address 1.2.3.4 secondary (use the public facing IP you will use to host DNS)

ip dns server

Also, don't forget to allow DNS packets in to the router with an access list, such as:

permit udp any host 1.2.3.4 eq domain