Disabling DNS Recursion on Windows Server 2008 R2 and mitigation of DNS Amplification Attacks

Over the past year DNS Amplification attacks have been worse, even to the point that the US-CERT (http://www.us-cert.gov/ncas/alerts/TA13-088A) issued a warning last month. With Linux and Unix BIND DNS Server installs a simple config change can take care of this issue however, in Microsoft’s implementation of the DNS server there is a lack of this basic functionality.

This problem is two fold on Windows if you are also using the recursive DNS servers internally for your DNS forwarders. If you are then the first step is standing up a couple of basic forwarding DNS servers. For an additional level of security I would also suggest deployment with conditional forwarders for domains which you are the root DNS server for to reduce the possibility spoofing (if not using DNSSEC), enhance internal DNS performance, and allow for internal DNS resolution to work in the event your WAN link goes down.

The second step is the actual removal of recursion on your existing DNS servers which the below step by step instructions will take of.

Load up DNS Management, right click on your DNS server and select properties.
DNS-1

Select the “Advanced” tab and check the box to “Disable recursion (also disables forwarders)”

DNS-3

Select “Apply”, then “OK”, and finally close out of the DNS management utility.

At this point we need to stop the DNS server service temporary via “net stop dns”

Now pull up Windows Explorer and navigate to %systemroot%\system32\dns, in this folder you’ll find something called “cache.dns”. This file contains the list of root-forwarders which are always active even though recursion is disabled…. anyway, rename this file to something like cache.dns.bak
DNS-4

Lastly start the DNS server back up “net start dns”

At this point validate recursion is really disabled via nslookup.

On a client system pull up a command line and perform the following

nslookup
server my_non_recursive_dns_server_ip
www.google.com
www.mydomain.org

The resolution for www.google.com should not return an IP address (unless your Google) and the address for www.mydomain.org should return an IP assuming the DNS entry is located within the zone file on the server.

With the above completed, you will no longer be a potential node in a DNS amplification attack.

Join the Conversation

3 Comments

    1. Unfortunately you can’t. With sticking on a Microsoft stack for the external-facing DNS servers I did the above. Then had a separate pair of non-authoritative recursive servers for say in your case wireless users or the kids in housing. Internally I also implemented conditional forwarders in this so anything where our DNS servers were the authoritative domain to go directly to their instead of out to the root servers (purely for better performance).

  1. I am not sure where you are getting your info, but good
    topic. I needs to spend some time learning more
    or understanding more. Thanks for fantastic information I was looking for
    this info for my mission.

Leave a comment

Your email address will not be published. Required fields are marked *