Wednesday, December 11, 2013

How to create an open DNS resolver

In previous posts I mentioned how I set up Windows DNS to handle DNS for my internal dev environment. This was internal only, using 2 Windows servers which both host Active Directory and DNS. The next requirement was to handle external DNS queries because I wanted to expose some services, such as email & ADFS, to external clients.

I used a subdomain of our main domain as my internal name for Active Directory. Assume our live external name is and I chose for my dev environment’s Active Directory name. Internally my account names are

I don’t actually want to use that externally so I got another domain from an ISP. Let’s call that I want to be available externally and to land on my internal mail server.

My first move is simple, but wrong. I added as a forward lookup zone to my existing DNS, populated it with the external aliases, configured our ISP to forward DNS to our servers and then exposed my DNS servers to the internet!

While this works I’m guessing that someone with nslookup, for example, can start sending DNS queries to my server and ask it questions about my internal host names. Not ideal, but it’s a dev environment and making mistakes is allowed.

It turns out to be more serious though, as it allows the server to be used as part of a type of distributed attack against other hosts because I’ve created an Open DNS Resolver. In effect, any external DNS client can now ask my DNS servers to do lookups and the clients can spoof (fake) their IP address. My servers will then attempt to resolve those queries. If they are not answerable locally, then my servers will pass the query up the chain to the wider internet DNS. Eventually the answer(s) will return to the spoofed IP address. If lots of open resolvers are attacked at once using the same spoofed address then they will all start generating traffic back to the target spoofed IP. Or something like that.

Windows DNS, even in Windows Server 2012, can’t be configured to behave differently depending on whether the request originated from inside or outside my environment, so the next move here would be to spin up another pair of DNS servers and use those just for handling any requests for my external DNS zone ( These can be configured such that they do not recursively resolve, so they will not be Open Resolvers – they will only answer for their configured domain and will do nothing else. You need a pair because most ISPs need you to provide a primary and secondary DNS server. My existing DNS servers can have the external DNS removed and external access removed and return to their original purpose of handling DNS for my internal clients.

In this case though, my external DNS needs are minimal so it’s not worth the effort. Instead I closed the DNS off again, deleted the zone from my DNS servers, and added the handful of host entries from directly into the ISP DNS, having also removed the forward to my DNS servers.

As for why Windows DNS can’t do this, I guess you’d have to ask who else, apart from someone messing about as I am, would want to do this? A proper DNS sysadmin wouldn’t even dream of mixing internal and external server roles on the same box in the first place and would have started out with two sets of servers in the first place anyway.