Microsoft – DNS Server – Disabling Recursion

Background

I will like to start a series of articles on how to harden a Microsoft DNS Server.

Before we dig in too deep let us first start talking about the weeds out there.

 

What prompts us

Reviewing the MS Windows Event Viewer discovered entries that looks like this:

Textual:


The DNS server encountered an invalid domain name in a packet from 90.23.83.107. The packet will be rejected. The event data contains the DNS packet.

Image:

EventID-5504-InvalidDomainName

 

Data

Since we are referred to the “event data”, let us try to make sense of it:

 

EventID-5504-InvalidDomainName-Data

.cz

What does the error mean?

It means that the host listed as the packet from w.x.y.z is sending us a request for a domain suffix that is different from the ones we have not explicitly declared we are handling.

The reasons are myriad and can include:

  • An application on that host is specifically sending DNS requests to us
  • The original request was directed at a DNS Server that has been configured to forward DNS requests

 

Network Monitoring

Let us use a Network Monitoring tool to read Network requests.

As we already have the Microsoft Network Monitoring Tool installed, we will use it.

 

Configure Microsoft Network Monitoring Tool

Filter

I will suggest that you tighten your filtering and only bring in DNS Traffic.

You can do so by using the Application’s menu.

In our version, Filter \ Load Filter \ Standard Filters \ DNS \ Protocol Filter – DNS

Here is what the Application generates based on this request:

applyDNSFilter

Please click the “Apply” button to effect the filtering.

Output

We will be interested in correlating Network Traffic flows with entries in the MS Event Viewer and so will add “Time Date Local Adjusted” to the list of columns to display.

That way we will be better able to match specific Event Viewer entries with items we capture from our Network Monitoring tool.

To do so, please click on the Columns \ Choose Columns:

ChooseFrameSummaryColumns

 

Here is what things look like once we moved “Time Date Local Adjusted” from the “Select the desired columns” area to the “Enabled Columns” area.

ChooseFrameSummaryColumns-After

 

Our Domain, but invalid hostname

  DNS Query Request

xmqgzjczmg-request

Explanation:

  1. Our instigator is sending UDP requests to our port 53 ( DNS )
  2. The QueryId is 0x4F2 and Query Identifier is 1266
  3. The full query is xmq.[full-doman-name]

 

DNS Query Response

xmqgzjczmg-response-nameerror

 

Explanation:

  1. We replied via UDP from port 53 ( DNS )
  2. The QueryId is 0x4F2 and Query Identifier is 1266
  3. Our Reply Code is “Rcode = Name Error

 

Invalid Domain

DNS Query Request

request@014658

Quick Explanation:

  1. We are receiving numerous simultaneous DNS requests bearing QueryID 26025 (0x65A9)
  2. The query is requesting 067.cz and it is requesting “all” records
  3. We can also confirm from the request dump that Recursion is desired (Recursion Desired = 1)

 

DNS Query Response

response@014658

 

Quick Explanation:

  1. On behalf of the requester, our DNS Server connected to 77.78.104.139 and requested data
  2. The query is requesting 067.cz and it is requesting “all” records
  3. We can also confirm from the request dump that Recursion is desired (Recursion Desired = 1)
  4. We received the following set of data
    • All Name Server ( ns1, ns2, ns3 )
    • SOA ( Start of Authority )
    • MX ( Mail )
    • spf1 ( Send Framework Record )

 

Resolution

Server – Properties – Advanced Tab

Disable recursion – GUI

ServerConfiguration

Disable recursion – Command Line


dnscmd . /config /norecursion 1

 

Disable recursion – Query

Syntax


     dnscmd . /info

Output

dnscmdInfo

Explanation

  1. In the “Configuration flags” section, fNoRecursion is set to 1

What is the implication?

Service Internal Clients

Can we still properly service DNS queries for our internal clients?

Queries for Authoritative Domains

Query

Syntax:


    nslookup -querytype=MX FQDN. nameserver

 Sample:


    nslookup -querytype=MX labdomain.com. 10.0.7.49

Explanation:

  1. Request is pretty straight forward
  2. Please issue prefixed by a period to indicate it is fully formed; that is the DNS Suffix should not be auto-appended when passed to the DNS Server
  3. We are asking our DNS Server ( 10.0.7.49 ) for Mail ( MX )  records

 

Output:

Image:

internalMXCommandLine.0935AM

 

Explanation:

  1. We received back our MX record

Request Trace – Incoming

internalMXRequestCropped

Explanation:

  1. We are requesting MX records for a specific domain

 

Request Trace – Response

internalMXResponseCropped

 

Explanation:

  1. Response
    • We are authoritative
    • We replied with MX record(s)

 

Queries for Non-Authoritative Domains

Query

Syntax:


    nslookup -querytype=MX FQDN. nameserver

 Sample:


    nslookup -querytype=MX talend.com. 10.0.7.49

Explanation:

  1. We are asking our DNS Server ( 10.0.7.49 ) for Mail ( MX )  records for the Talend (talend.com) domain
  2. Again, notice that we need the . after the domain name

 

Output:

Image:

externalTalendMXConsole

 

Explanation:

  1. We replied with “can’t find talend.com.: Server failed

Request Trace – Incoming

internalMXRequestCropped

Explanation:

  1. We are requesting MX records for a specific domain

 

Request Trace – Response

externalTalendMXResponse.1042AM

 

Explanation:

  1. Response
    • We replied with “Server failure
    • Question Count is 1 (0x1)
    • Answer Count is 0 (0x0)

Summary

Once we disabled recursion, we stopped seeing the errors about “invalid domain name“.

We have other areas to cover and will do so in subsequent posts.

Reference

Standards

Download

Configuration

Q/A

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s