hello,

I just wanted to ask for an advice on securing open DNS server. I have
a dedicated server with windows server 2003 and hosting a web site.
DNS is running on the server. As I understand it is no really possible
to disable open DNS server, however, what should I check on the server
so it does not get exploited by other people?

thanks for an advice.

In news:1186519256.637723.210800@l70g2000hse.googlegr oups.com,
gointern@gmail.com <gointern@gmail.com> typed:
> hello,
>
> I just wanted to ask for an advice on securing open DNS server. I have
> a dedicated server with windows server 2003 and hosting a web site.
> DNS is running on the server. As I understand it is no really possible
> to disable open DNS server, however, what should I check on the server
> so it does not get exploited by other people?
>
> thanks for an advice.

I'm not sure what you mean by "Open" DNS server. I am assuming it is not a
product, but rather the Windows 2003 server is wide open on the Internet
acting as a public DNS server hosting your public domain name. If so, you
can put it behind a firewall and only allow ports TCP and UDP 53 to it for
DNS, and of course 80 for web, and possibly 443 for SSL. I would also
disable NetBIOS.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield

On Aug 8, 12:03 am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:1186519256.637723.210800@l70g2000hse.google groups.com,
> goint...@gmail.com <goint...@gmail.com> typed:
>
> > hello,
>
> > I just wanted to ask for an advice on securing open DNS server. I have
> > a dedicated server with windows server 2003 and hosting a web site.
> > DNS is running on the server. As I understand it is no really possible
> > to disable open DNS server, however, what should I check on the server
> > so it does not get exploited by other people?
>
> > thanks for an advice.
>
> I'm not sure what you mean by "Open" DNS server. I am assuming it is not a
> product, but rather the Windows 2003 server is wide open on the Internet
> acting as a public DNS server hosting your public domain name. If so, you
> can put it behind a firewall and only allow ports TCP and UDP 53 to it for
> DNS, and of course 80 for web, and possibly 443 for SSL. I would also
> disable NetBIOS.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to your post?
> Try using Outlook Express or any other newsreader, configure a news
> account, and point it to news.microsoft.com. Anonymous access. It's
> easy and it's free:
>
> How to Configure OEx for Internet Newshttp://support.microsoft.com/?id=171164
>
> "Life isn't like a box of chocolates or a bowl of cherries or
> peaches... Life is more like a jar of jalapenos. What you do today
> may burn your butt tomorrow." - Garfield

The Open DNS server is from a test that dnsreport does. It says the
fix is to disable recursion, but it breaks some applications on the
server. So I guess I will enable a firewall. Thanks!

In news:1186560791.049597.97420@l70g2000hse.googlegro ups.com,
matrikas@gmail.com <matrikas@gmail.com> typed:

> The Open DNS server is from a test that dnsreport does. It says the
> fix is to disable recursion, but it breaks some applications on the
> server. So I guess I will enable a firewall. Thanks!

I see, now I know what you mean by "open". It was a test you ran at
DNSReport.com.

Disabling recursion will not allow your own server to use it as a DNS server
other than to resolve zone already created on it. This is usually for
content only servers and will not allow anyone else to use it. If that is
the intention of this server, that is to only host your public name, then
yes, go ahead and disable recursion. That is under the Advanced tab.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield

On Aug 8, 7:04 am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:1186560791.049597.97420@l70g2000hse.googleg roups.com,
> matri...@gmail.com <matri...@gmail.com> typed:
>
> > The Open DNS server is from a test that dnsreport does. It says the
> > fix is to disable recursion, but it breaks some applications on the
> > server. So I guess I will enable a firewall. Thanks!
>
> I see, now I know what you mean by "open". It was a test you ran at
> DNSReport.com.
>
> Disabling recursion will not allow your own server to use it as a DNS server
> other than to resolve zone already created on it. This is usually for
> content only servers and will not allow anyone else to use it. If that is
> the intention of this server, that is to only host your public name, then
> yes, go ahead and disable recursion. That is under the Advanced tab.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to your post?
> Try using Outlook Express or any other newsreader, configure a news
> account, and point it to news.microsoft.com. Anonymous access. It's
> easy and it's free:
>
> How to Configure OEx for Internet Newshttp://support.microsoft.com/?id=171164
>
> "Life isn't like a box of chocolates or a bowl of cherries or
> peaches... Life is more like a jar of jalapenos. What you do today
> may burn your butt tomorrow." - Garfield

Hello again,

The server is for web page hosting and email. and ran the test on
dnsreport again. It says it is still "open dns server". My question is
should I worry about this? Is there anything I can do? I put the
server behind the firewall and forwarded port 53 but I guess it
doesn't do much good since DNS uses that port to talk. Any advices?

thanks.

In news:1187310331.159071.7240@22g2000hsm.googlegroup s.com,
gointern@gmail.com <gointern@gmail.com> typed:

>
> Hello again,
>
> The server is for web page hosting and email. and ran the test on
> dnsreport again. It says it is still "open dns server". My question is
> should I worry about this? Is there anything I can do? I put the
> server behind the firewall and forwarded port 53 but I guess it
> doesn't do much good since DNS uses that port to talk. Any advices?
>
> thanks.

No, if you want it to allow recursion, there isn't much else you can do.

Unless you don't. So it's up to YOU. So let me make myself a bit clearer and
you can decide The answers to the next two questions will answer how to
handle recursion:

1. Do you or others on your network need to use this server (by specifying
it's IP address in IP properties) to resolve domain names for your
workstation?
If yes, then you will need to allow recursion and that message aobout it
being an open server will continue. Not much you can do about that because
of what you need the thing for.

2. Is the DNS server's ONLY role is to host your public domain name for the
world to resolve only your public domain name and nothing else?
if yes, then disable recursion and that Open message should disappear.

Ace




--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield

On Aug 16, 9:52 pm, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:1187310331.159071.7240@22g2000hsm.googlegro ups.com,
> goint...@gmail.com <goint...@gmail.com> typed:
>
>
>
> > Hello again,
>
> > The server is for web page hosting and email. and ran the test on
> > dnsreport again. It says it is still "open dns server". My question is
> > should I worry about this? Is there anything I can do? I put the
> > server behind the firewall and forwarded port 53 but I guess it
> > doesn't do much good since DNS uses that port to talk. Any advices?
>
> > thanks.
>
> No, if you want it to allow recursion, there isn't much else you can do.
>
> Unless you don't. So it's up to YOU. So let me make myself a bit clearer and
> you can decide The answers to the next two questions will answer how to
> handle recursion:
>
> 1. Do you or others on your network need to use this server (by specifying
> it's IP address in IP properties) to resolve domain names for your
> workstation?
> If yes, then you will need to allow recursion and that message aobout it
> being an open server will continue. Not much you can do about that because
> of what you need the thing for.
>
> 2. Is the DNS server's ONLY role is to host your public domain name for the
> world to resolve only your public domain name and nothing else?
> if yes, then disable recursion and that Open message should disappear.
>
> Ace
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to your post?
> Try using Outlook Express or any other newsreader, configure a news
> account, and point it to news.microsoft.com. Anonymous access. It's
> easy and it's free:
>
> How to Configure OEx for Internet Newshttp://support.microsoft.com/?id=171164
>
> "Life isn't like a box of chocolates or a bowl of cherries or
> peaches... Life is more like a jar of jalapenos. What you do today
> may burn your butt tomorrow." - Garfield

I see. Thanks for all the ! I am leaving it as is. Thank you.

In news:1187338689.115923.326380@g4g2000hsf.googlegro ups.com,
gointern@gmail.com <gointern@gmail.com> typed:

>
> I see. Thanks for all the ! I am leaving it as is. Thank you.

You are welcome.

Cheers!

Ace