Re: [swinog] Disable Recursion on Windows Server 2019
split the resolver from authoritative service, and use Linux for user-facing services. What else :) On Mon, Nov 1, 2021 at 2:40 PM Benoît Panizzon wrote: > > Dear Community > > We have a customer who operates hosting and uses a Windows Server 2019 > as DNS for his hosting customers and for which we occasionally receive > complaints about this being an open resolver prone to DNS amplification > attacks. > > Customers requirements: > > * DNS reachable from the Internet, for the domains he is authoritative > for. > * DNS recursion available for hosting customers in his IP range. > > He tells me, that he can only switch recursion on and off completely, > but not restrict the ip ranges for which is shall be available. > > My quick search via Google, also only revealed how to turn recursion > off completely on a Windows Server 2019. > > Hopefully some Microsoft Guru on this list, can tell, how to restrict > recursive access to certain IP ranges? > > -- > Mit freundlichen Grüssen > > -Benoît Panizzon- @ HomeOffice und normal erreichbar > -- > I m p r o W a r e A G-Leiter Commerce Kunden > __ > > Zurlindenstrasse 29 Tel +41 61 826 93 00 > CH-4133 PrattelnFax +41 61 826 93 01 > Schweiz Web http://www.imp.ch > __ > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog -- Stanislav Sinyagin Senior Consultant, CCIE #5478 ssinya...@k-open.com +41 79 407 0224 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Disable Recursion on Windows Server 2019
Hi, There is an option, for disabling recursion, but nothing for restrict IP Range. (Server Properties / Advanced / Disable Recursion). Globally we recommend to disable recursion on authoritative servers. Which is a good practice in term of security. Best regards, Rémy DUCHET Founder & CEO Chemin du Curé-Desclouds 2, CH-1226 THONEX +41 (0)22 869 04 40 www.csti.ch -Original Message- From: swinog-boun...@lists.swinog.ch On Behalf Of Benoît Panizzon Sent: Monday, 1 November 2021 14:37 To: swinog@lists.swinog.ch Subject: [swinog] Disable Recursion on Windows Server 2019 Dear Community We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks. Customers requirements: * DNS reachable from the Internet, for the domains he is authoritative for. * DNS recursion available for hosting customers in his IP range. He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available. My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019. Hopefully some Microsoft Guru on this list, can tell, how to restrict recursive access to certain IP ranges? -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog smime.p7s Description: S/MIME cryptographic signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Disable Recursion on Windows Server 2019
Hi Thanks! I'll pass this on to our customer. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Disable Recursion on Windows Server 2019
Dear Community We have a customer who operates hosting and uses a Windows Server 2019 as DNS for his hosting customers and for which we occasionally receive complaints about this being an open resolver prone to DNS amplification attacks. Customers requirements: * DNS reachable from the Internet, for the domains he is authoritative for. * DNS recursion available for hosting customers in his IP range. He tells me, that he can only switch recursion on and off completely, but not restrict the ip ranges for which is shall be available. My quick search via Google, also only revealed how to turn recursion off completely on a Windows Server 2019. Hopefully some Microsoft Guru on this list, can tell, how to restrict recursive access to certain IP ranges? -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
