On 1 Nov 2021, at 19:15, Michael Righter m@righter.ch wrote:
You cannot block inbound. Because there are public domains on the server which have to be accessible from public.
You are saying that in 2021 this person operates a shared auth & recursive DNS server..... and connected that to the Internet...
yeah, not following best practices is silly...
Dnsdist would also be my preferred solution. But i don't think he can handle that, when he is running a dns server on a windows machine :-)
One should not be operating things connected to the Internet when one cannot configure them to be good netizens...
Many folks run Windows DNS due to Active Directory
But Windows has WSL2, so... dnsdist is an option...
Greets, Jeroen
Am 01.11.2021 18:05 schrieb Jeroen Massar jeroen@massar.ch:
On 1 Nov 2021, at 14:37, Benoît Panizzon benoit.panizzon@imp.ch wrote:
Dear Community
We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks.
Customers requirements:
- DNS reachable from the Internet, for the domains he is authoritative
for.
- DNS recursion available for hosting customers in his IP range.
Hopefully, in 2021, that means two distinctive services... (at least distinct IPs, and of course software that listens separately)
He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available.
My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019.
Easy mode:
Firewall inbound destination port 53, both UDP + TCP unless it is a customer prefix. Bonus: only allow outbound port 53 TCP/UDP.
That does mean that your DNS server can never use port 53 as a source, but that should not happen do to port randomization.
Other version: use dnsdist in front of your Windows DNS server and configure that properly.
Greets, Jeroen
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog