Why recursive Microsoft DNS servers should not be publicly reachable

US-Cert Alert (TA13-088A) DNS Amplification Attacks sums it up quite nicely. This also means that you should not publish authoritative DNS zones (that need to be publicly reachable by design) on a recursive Microsoft DNS server (that services internal DNS clients).

Limiting Recursion to Authorized Clients

For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients.  These requests should typically only come from clients within the organization’s network address range.

BIND9

In the global options, add the following [10]:

acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
  allow-query { corpnets; };
  allow-recursion { corpnets; };
};
Microsoft DNS Server

It is not currently possible to restrict recursive DNS requests to a specific client address range in Microsoft DNS Server.  The most effective means of approximating this functionality is to configure the internal DNS server to forward queries to an external DNS server and restrict DNS traffic in the firewall to restrict port 53 UDP traffic to the internal server and the external forwarder [11].

Leave a Comment