2

I have a single win2008 server configured to use vpn and remote desktop. My host provider demanded I remove recursive DNS.

If go to dns role / group / properties / advanced and click disable recursive, after that I lose internet access. I can't navigate.

I changed to Bind but had the same problem.

In this server I need access to internet for some web services, so I can't just leave it like this. How do I keep recursive DNS off and still retain the ability to navigate the internet?

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
Pablote
  • 121
  • 4
  • 1
    Make the DNS server not publicly accessible from the Internet by making it listen only on internal addresses. See: [Restrict a DNS server to listen only on selected addresses](https://technet.microsoft.com/en-ca/library/cc755068.aspx?f=255&MSPPError=-2147217396) – Brian Jan 21 '16 at 20:47
  • Why are you running the DNS Server role on this server? – joeqwerty Jan 21 '16 at 22:01
  • joeqwerty in the first time I turn on to configurate the remote connections, and a internal lan, but i try to erase the role and i obtain the same problem, internet not works – Pablote Jan 22 '16 at 07:03

2 Answers2

1

You need to configure forwarders. To quote from the linked article:

  • Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.
  • In the console tree, click the name of the DNS server you wish to configure.
  • On the Action menu, click Properties.
  • Click the Forwarders tab.
  • Modify the list of forwarders as follows:
    • To add a forwarder to the list, click Edit, specify the name and IP address of the server to be added to the list, and then click OK.
    • To modify a forwarder in the list, click Edit, click the forwarder you wish to configure, modify the name or IP address of the forwarder, and then click OK.
    • To remove a forwarder from the list, click Edit, click the forwarder you wish to remove, clear the IP address field, and then click OK.

You also need to block access to DNS on your server from outside your internal domain.

Note: If your server has a legitimate need to perform DNS recursion (example - you have applications that need to resolve external DNS), you can alternately disable and/or scope the local Windows Firewall rule that allows incoming DNS requests.

I don't know what, if anything, else is on your network, but you can:

enter image description here

  • Tell your DNS server which IP addresses to answer DNS queries on. This is in server properties, like the information above, but on the Interfaces tab.

enter image description here

  • Block DNS at an external firewall.
Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
1

By default the DNS server listens on all interfaces / IP addresses. Most DNS servers set to allow recursive queries should not be listening on a public interface / IP address. Doing so allows them to be used in a DNS applification attack (a type of DDOS), ref: US-Cert DNS Amplification Attacks.

Configure the DNS server to only listen on internal addresses.

dnscmd <ServerName> /ResetListenAddresses [<ListenAddress> ...]

For help:

dnscmd <ServerName> /ResetListenAddresses /help

TechNet: Restrict a DNS server to listen only on selected addresses

Brian
  • 3,476
  • 18
  • 16