On 1 Nov 2021, at 19:15, Michael Righter <m@righter.ch> wrote:


You cannot block inbound. Because there are public domains on the server which have to be accessible from public.

You are saying that in 2021 this person operates a shared auth & recursive DNS server..... and connected that to the Internet...

yeah, not following best practices is silly...

Dnsdist would also be my preferred solution.
But i don't think he can handle that, when he is running a dns server on a windows machine :-)

One should not be operating things connected to the Internet when one cannot configure them to be good netizens...

Many folks run Windows DNS due to Active Directory

But Windows has WSL2, so... dnsdist is an option...

Greets,
 Jeroen


Am 01.11.2021 18:05 schrieb Jeroen Massar <jeroen@massar.ch>:

> On 1 Nov 2021, at 14:37, Benoît Panizzon <benoit.panizzon@imp.ch> wrote:
>
> Dear Community
>
> We have a customer who operates hosting and uses a Windows Server 2019
> as DNS for his hosting customers and for which we occasionally receive
> complaints about this being an open resolver prone to DNS amplification
> attacks.
>
> Customers requirements:
>
> * DNS reachable from the Internet, for the domains he is authoritative
>  for.
> * DNS recursion available for hosting customers in his IP range.

Hopefully, in 2021, that means two distinctive services... (at least distinct IPs, and of course software that listens separately)

> He tells me, that he can only switch recursion on and off completely,
> but not restrict the ip ranges for which is shall be available.
>
> My quick search via Google, also only revealed how to turn recursion
> off completely on a Windows Server 2019.

Easy mode:

Firewall inbound destination port 53, both UDP + TCP unless it is a customer prefix.
Bonus: only allow outbound port 53 TCP/UDP.

That does mean that your DNS server can never use port 53 as a source, but that should not happen do to port randomization.

Other version: use dnsdist in front of your Windows DNS server and configure that properly.

Greets,
Jeroen

_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog