When performing zone transfers, the DNS
server uses a faster zone transfer method that
utilizes compression and can transfer multiple
records per TCP message. This format isn't compatible with older versions of BIND. You need to
select the BIND Secondaries option if you use a
version of BIND earlier than 4.9.4. This option
tells the Windows DNS server not to use the
faster zone transfer methods.
When to Disable Recursion
Recursion is the process that DNS uses to track
down the authoritative server for a domain.
If you query a DNS server for a host in a
domain and the server isn't authoritative for
that domain, nor does the server have a cached
copy of the requested host record, the server
recursively queries other servers on the Internet
on your behalf to track down the DNS server
with the correct answer. If a server doesn't do
recursion, it either tells the client it doesn't know
that record or it tells the client where it might
find the record.
To determine when you should disable recursion, you need to look at what types of records
the DNS server will hold. If the DNS server for
a domain knows all the records for a domain,
it should never provide recursion. Your DC, for
example, knows about every host in your domain,
so there's no need for it to send a request elsewhere. The same is true for a public DNS server
that holds published domain records.
You should typically allow recursion on
servers that provide DNS lookups for local users. That is, if you provide Internet access to a user,
you should also provide that user with a recursive DNS server that can resolve any Internet
host name.
It's important not to make recursive DNS
servers available outside of your organization. A
server could be attacked and used as an amplifier for Distributed Denial of Service (DDoS)
attacks.
Internet Host Blocking
Here's a problem that DNS isn't responsible for
but that it can partially help you solve. You can
block user access to undesirable Internet hosts
by using a firewall or a proxy server, but those
solutions don't work well for all situations. An
ISP, for example, might want to block certain
host names without requiring customers to use
a proxy server and without putting too much of
a load on the firewall. Blocking host names at
the DNS server is one alternative.
To do this, you first need a list of hosts to
block. You can get a malware block list formatted for Microsoft DNS servers from Malware Block Lists at http://www.malware.com.br/#blocklist. You can directly import this block
list into your DNS server. If you're willing to do
some reformatting, you can also get block lists
from hpHosts Online at http://www.hosts-file.net or Spamassassin Blacklists at http://www.sa-blacklist.stearns.org/sa-blacklist.
Another alternative is OpenDNS (http://www.opendns.com), a free DNS service that provides filtering by blocking known phishing hosts.
To use OpenDNS, you just place its DNS server IP
addresses in your network configuration.
Keep in mind that using DNS for blocking
only prevents name lookups for hosts on these
lists. It doesn't prevent users from accessing
hosts by entering their IP address, and it can't
block new hosts that haven't yet been listed.
Learn the Fundamentals
DNS problems generally have simple solutions,
but you do need to have a good understanding
of how DNS works. Expand your knowledge of
DNS—for any IT professional, it's certainly time
well spent.
Register
