We're preparing to implement this DNS patch in our enterprise, and something occurred to me that I thought someone out there might have insight on. In addition to our AD-integrated DNS infrastructure, we manage external-facing DNS for our company on two Windows servers. Because we're no longer forwarding non-authoritative queries from internal to these, we've disabled recursion on the external DNS boxes (so they're responsive only to queries for zones they're authoritative for). With that sort of configuration, are these external boxes even affected by the new DNS vulnerability? Thanks for any input.