On 1 Nov 2021, at 14:37, BenoƮt Panizzon benoit.panizzon@imp.ch wrote:
Dear Community
We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks.
Customers requirements:
- DNS reachable from the Internet, for the domains he is authoritative
for.
- DNS recursion available for hosting customers in his IP range.
Hopefully, in 2021, that means two distinctive services... (at least distinct IPs, and of course software that listens separately)
He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available.
My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019.
Easy mode:
Firewall inbound destination port 53, both UDP + TCP unless it is a customer prefix. Bonus: only allow outbound port 53 TCP/UDP.
That does mean that your DNS server can never use port 53 as a source, but that should not happen do to port randomization.
Other version: use dnsdist in front of your Windows DNS server and configure that properly.
Greets, Jeroen