NT4 Microsoft DNS - Restrict Recursive Queries

Discussion in 'DNS Server' started by Wayne & Carr, May 18, 2006.

  1. Wayne & Carr

    Wayne & Carr Guest

    Hello All;

    Doing a check on DNSReport.com I just found out that our DNS Server which
    is running on
    NT4 Server running Microsoft DNS. Is doing [Recursive Queries]

    This is what Dnsreport.com reported (IP Address's are not listed here)

    ==================================================================
    ERROR: One or more of your nameservers reports that it is an open DNS
    server. This usually means that anyone in the world can query it for domains
    it is not authoritative for (it is possible that the DNS server advertises
    that it does recursive lookups when it does not, but that shouldn't happen).
    This can cause an excessive load on your DNS server. Also, it is strongly
    discouraged to have a DNS server be both authoritative for your domain and
    be recursive (even if it is not open), due to the potential for cache
    poisoning (with no recursion, there is no cache, and it is impossible to
    poison it). Also, the bad guys could use your DNS server as part of an
    attack, by forging their IP address. Problem record(s) are:
    ==================================================================

    How can I physically check if our Microsoft DNS Server is doing what this
    reports that it is doing?
    It has been a while since I have checked this site out, but the last time I
    did, (Still the same configuration)
    It was not reporting this issue?

    Thanks All
    Wayne
     
    Wayne & Carr, May 18, 2006
    #1
    1. Advertisements

  2. They just added this test recently, and their have been many questions here
    about how to disable recursion. The problem is, if you have any clients
    using them as DNS resolvers, don't do it, they will no longer be able get
    internet resolution.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], May 18, 2006
    #2
    1. Advertisements

  3. Wayne & Carr

    Wayne & Carr Guest

    Thanks "Kevin" for that important information.
    I will keep an eye out here for any further developments regarding this
    issue.

    Wayne
     
    Wayne & Carr, May 18, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.