Dear Community
We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks.
Customers requirements:
* DNS reachable from the Internet, for the domains he is authoritative for. * DNS recursion available for hosting customers in his IP range.
He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available.
My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019.
Hopefully some Microsoft Guru on this list, can tell, how to restrict recursive access to certain IP ranges?
I think you can do it with a policy. Look at these powershell commands, there are a lot of possbilities: https://docs.microsoft.com/en-us/powershell/module/dnsserver/add-dnsserverqu...
Greetings Michael
On 01.11.2021 14:37, Benoît Panizzon wrote:
Dear Community
We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks.
Customers requirements:
- DNS reachable from the Internet, for the domains he is authoritative
for.
- DNS recursion available for hosting customers in his IP range.
He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available.
My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019.
Hopefully some Microsoft Guru on this list, can tell, how to restrict recursive access to certain IP ranges?
-- Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
Hi,
There is an option, for disabling recursion, but nothing for restrict IP Range. (Server Properties / Advanced / Disable Recursion).
Globally we recommend to disable recursion on authoritative servers. Which is a good practice in term of security.
Best regards,
Rémy DUCHET Founder & CEO
Chemin du Curé-Desclouds 2, CH-1226 THONEX +41 (0)22 869 04 40
www.csti.ch
-----Original Message----- From: swinog-bounces@lists.swinog.ch swinog-bounces@lists.swinog.ch On Behalf Of Benoît Panizzon Sent: Monday, 1 November 2021 14:37 To: swinog@lists.swinog.ch Subject: [swinog] Disable Recursion on Windows Server 2019
Dear Community
We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks.
Customers requirements:
* DNS reachable from the Internet, for the domains he is authoritative for. * DNS recursion available for hosting customers in his IP range.
He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available.
My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019.
Hopefully some Microsoft Guru on this list, can tell, how to restrict recursive access to certain IP ranges?
-- Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
On 1 Nov 2021, at 14:37, Benoît Panizzon benoit.panizzon@imp.ch wrote:
Dear Community
We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks.
Customers requirements:
- DNS reachable from the Internet, for the domains he is authoritative
for.
- DNS recursion available for hosting customers in his IP range.
Hopefully, in 2021, that means two distinctive services... (at least distinct IPs, and of course software that listens separately)
He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available.
My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019.
Easy mode:
Firewall inbound destination port 53, both UDP + TCP unless it is a customer prefix. Bonus: only allow outbound port 53 TCP/UDP.
That does mean that your DNS server can never use port 53 as a source, but that should not happen do to port randomization.
Other version: use dnsdist in front of your Windows DNS server and configure that properly.
Greets, Jeroen
On 1 Nov 2021, at 19:15, Michael Righter m@righter.ch wrote:
You cannot block inbound. Because there are public domains on the server which have to be accessible from public.
You are saying that in 2021 this person operates a shared auth & recursive DNS server..... and connected that to the Internet...
yeah, not following best practices is silly...
Dnsdist would also be my preferred solution. But i don't think he can handle that, when he is running a dns server on a windows machine :-)
One should not be operating things connected to the Internet when one cannot configure them to be good netizens...
Many folks run Windows DNS due to Active Directory
But Windows has WSL2, so... dnsdist is an option...
Greets, Jeroen
Am 01.11.2021 18:05 schrieb Jeroen Massar jeroen@massar.ch:
On 1 Nov 2021, at 14:37, Benoît Panizzon benoit.panizzon@imp.ch wrote:
Dear Community
We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks.
Customers requirements:
- DNS reachable from the Internet, for the domains he is authoritative
for.
- DNS recursion available for hosting customers in his IP range.
Hopefully, in 2021, that means two distinctive services... (at least distinct IPs, and of course software that listens separately)
He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available.
My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019.
Easy mode:
Firewall inbound destination port 53, both UDP + TCP unless it is a customer prefix. Bonus: only allow outbound port 53 TCP/UDP.
That does mean that your DNS server can never use port 53 as a source, but that should not happen do to port randomization.
Other version: use dnsdist in front of your Windows DNS server and configure that properly.
Greets, Jeroen
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
split the resolver from authoritative service, and use Linux for user-facing services. What else :)
On Mon, Nov 1, 2021 at 2:40 PM Benoît Panizzon benoit.panizzon@imp.ch wrote:
Dear Community
We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks.
Customers requirements:
- DNS reachable from the Internet, for the domains he is authoritative for.
- DNS recursion available for hosting customers in his IP range.
He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available.
My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019.
Hopefully some Microsoft Guru on this list, can tell, how to restrict recursive access to certain IP ranges?
-- Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog