Disabling Recursing in win 2003 DNS Server

Discussion in 'DNS Server' started by eng-soft05, Apr 26, 2005.

  1. eng-soft05

    eng-soft05 Guest

    I'm going through the process of secure my email server which is run on a
    windows 2003 server, standard edition. An article I came accross suggested
    disabling
    recursing in DNS. Does this affect the server itself as it has IIS running
    etc for local web apps?

    Also does this stop the server from having interent access?

    It is a standalone and not in my networks domain.
     
    eng-soft05, Apr 26, 2005
    #1
    1. Advertisements

  2. Disabling recursion (Advanced tab) will stop DNS from resolving any name for
    which it does not own in its zones. You would not want a mail server to use
    a non-recursive DNS server. Doing this is setting the mail server up to not
    be able to deliver e-mail.
    One thing I would do on a mail server is point it to a DNS server in the
    ORSC Root, rather that the ICANN Root. The ORSC Root includes the ICANN Root
    plus several other Roots and can resolve several hundred more TLDs than the
    ICANN Root.
    I run a Secondary ORSC Root zone on all my DNS servers.

    If you want to set up an ORSC Secondary root create a new secondary zone,
    name it with a dot "." and use these DNS servers as the masters:
    195.206.104.13, 199.166.24.1, 199.166.24.12, do a zone transfer to populate
    the zone the first time. If all worked ok the new root zone will be in
    place and you won't need to manually update it, the DNS will take care of
    doing so when needed.



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 26, 2005
    #2
    1. Advertisements

  3. eng-soft05

    eng-soft05 Guest

    Thanks for the info. What I trying to do is secure my email server. I've
    already done the SPF records etc.

    I found an article that suggested this

    Background_
    There are three primary factors that attribute to the spammers ability
    to steal your DNS resources:
    1) Exposed name server configured to act recursively
    2) DNS susceptibility to cache poisoning attacks
    3) Poor validation by domain name registrars

    http://www.securityfocus.com/archive/1/336958

    It mentions a recursive server being a vulnerability.

    Is there another method to securing the email server?
     
    eng-soft05, Apr 26, 2005
    #3
  4. You can disable recursion on the DNS that is Authoritative for the Domain,
    but you *cannot* use a *non-recursive* DNS as a DNS resolver for the mail
    server.
    The mail server must be able to resolve other domains to send out mail. A
    non-recursive DNS cannot resolve domains it does not have a zone for.

    Both of my DNS servers that I use to host public zones on have Recursion
    disabled, but I have two other DNS servers that my mail server uses to
    resolve external queries. None of my local machines use my non-recursive DNS
    servers.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 26, 2005
    #4
  5. In
    One can also specify a specific outside DNS server in SMTP properties of an
    Exchange server to let SMTP use this other "outside" DNS server to resolve
    external names instead of the configured DNS in NIC properties. This will
    not affect domain communication and is just used to resolve outside names.

    If the poster disabled recursion on his/her internal DNS, (as per the
    original post), it will not affect any internal local websites configured in
    IIS the internal users need to get to. It will only, as you've stated twice
    so far Kevin, affect resolving external names or more specifically, zone
    names that are not configured on the internal DNS server.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Jun 21, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.