Disabling Recursion on Delegated Name Servers
Some of your name servers answer nonrecursive queries from other name servers on the Internet because those name servers appear in NS records delegating your zones to them. We’ll call these name servers delegated name servers. You can take special measures to secure your delegated name servers by disabling recursion.
Recall that by default, resolvers send recursive queries, and name servers do the work required to answer the queries. (If you don’t remember how recursion works, refer to Chapter 2.) In the process of finding the answer to recursive queries, the name servers build up a cache of nonauthoritative information about other zones.
But for security reasons, you don’t want delegated name servers to do the extra work required to answer a recursive query or to build up a cache of data. Answering recursive queries opens them up to a potential denial of service (DoS) attack: the Bad Guys can send these servers repeated recursive queries, making them do all kinds of unnecessary work. Answering recursive queries from just anyone is also a bad idea because of caching: the most common spoofing attacks involve inducing the target name server to query name servers under the Bad Guy’s control by sending the target a recursive query for a domain name in a zone served by the Bad Guy’s servers. The Bad Guys can force your name servers to cache known bad data in this way.
Disabling recursion on delegated servers eliminates these attack ...
Get DNS on Windows Server 2003, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.