You cannot block inbound. Because there are public domains on the server which have to be accessible from public.

Dnsdist would also be my preferred solution.
But i don't think he can handle that, when he is running a dns server on a windows machine :-)

Am 01.11.2021 18:05 schrieb Jeroen Massar <jeroen@massar.ch>:

> On 1 Nov 2021, at 14:37, Benoît Panizzon <benoit.panizzon@imp.ch> wrote:
>
> Dear Community
>
> We have a customer who operates hosting and uses a Windows Server 2019
> as DNS for his hosting customers and for which we occasionally receive
> complaints about this being an open resolver prone to DNS amplification
> attacks.
>
> Customers requirements:
>
> * DNS reachable from the Internet, for the domains he is authoritative
>  for.
> * DNS recursion available for hosting customers in his IP range.

Hopefully, in 2021, that means two distinctive services... (at least distinct IPs, and of course software that listens separately)

> He tells me, that he can only switch recursion on and off completely,
> but not restrict the ip ranges for which is shall be available.
>
> My quick search via Google, also only revealed how to turn recursion
> off completely on a Windows Server 2019.

Easy mode:

Firewall inbound destination port 53, both UDP + TCP unless it is a customer prefix.
Bonus: only allow outbound port 53 TCP/UDP.

That does mean that your DNS server can never use port 53 as a source, but that should not happen do to port randomization.

Other version: use dnsdist in front of your Windows DNS server and configure that properly.

Greets,
Jeroen

_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog