1

I have a non domain joined authoritative dns server for a zone, I've disabled dns recursion in server settings. When i do a query with dig @ns1.mydomain.tld . it returns the root hints.

I've read that its possible to create a new primary zone named "." that will act as root zone. However this still returns the host name of my box and some incomplete soa information.

From my understanding returning root hints could be used for dns amplification attacks. Whats the best practice to handle this ?

mt7
  • 163
  • 1
  • 7

3 Answers3

1

Sadly, you can't disable the root hints with the Windows DNS server. This does leave your machine vulnerable to be abused for DNS reflection attacks, however most attackers look for actual recursive DNS servers.

Long term, you'd probably want to move to different DNS server software to fix this.

devicenull
  • 5,572
  • 1
  • 25
  • 31
  • Found a semi good solution myself. You can pause the . zone. Sadly this does not survive a reboot. I would like to leave this thread open because there must be someone out there using windows server to serve his zones and maybe has another fix, or doesn't care :) – mt7 Mar 25 '14 at 09:04
0

You can try to remove all the root hint servers on the Root Hints tab, then it will return Server failed for recursive requests.

SecureICT
  • 1
0

I know this question is a little dated, however for others looking for a good answer to this question, there is an excellent article written that walks you through how this can be done:

https://websistent.com/authoritative-dns-in-windows-server-2008/

I did not contribute to this article in any way and give full credit to the author of this article (written under "Jesin's Blog").

M.Net
  • 1