What is prompting this question is an email from a security person monitoring our network which indicated an "open DNS resolver infection".
The two Windows Server 2003 machines that constitute our one single domain (i.e. a forest of 1 domain) were cited. The email sounded like there was an imminent threat but these 2 servers have been operating well for over 6 years with no DNS problems. Perhaps it was just a new network monitoring tool that is being used that picked up this "new" issue now although our DNS config has not changed in years.
However, the suggestion is that I change the DNS option to DISABLE RECURSION to close a security hole. Windows adds the parenthetical statement that doing so "also disables forwarders).
My concern is that if I DISABLE DNS RECURSION, users will lose the current functionality in connecting to these servers (especially server A).
One Win 2003 server (server A) has 20 XP client PCs and they all use the internet. These 20 clients are configured in their Network TCP/IP Properties setup to use as the Preferred DNS server the main Server 2003 (first one installed-server A).
Their ALTERNATE DNS server address is one which specifies an ip address that points to the ISP outside of the domain to which they are connected.
Server B has no one explicitly logging into the domain but about 10 users access network shares on that server. In their case, they are not "part of the domain". They merely have an account on the domain where they have to be authenticated to access the network share.
FINALLY MY QUESTION:
Can anyone tell me (based upon my description of the two servers) that by changing the DNS option to "Disable recursion" is likely to affect either or both of those uses. If so, how?
(as you can no doubt tell my knowledge of how DNS works is quite limited).
Thanks in advance of any help...
The two Windows Server 2003 machines that constitute our one single domain (i.e. a forest of 1 domain) were cited. The email sounded like there was an imminent threat but these 2 servers have been operating well for over 6 years with no DNS problems. Perhaps it was just a new network monitoring tool that is being used that picked up this "new" issue now although our DNS config has not changed in years.
However, the suggestion is that I change the DNS option to DISABLE RECURSION to close a security hole. Windows adds the parenthetical statement that doing so "also disables forwarders).
My concern is that if I DISABLE DNS RECURSION, users will lose the current functionality in connecting to these servers (especially server A).
One Win 2003 server (server A) has 20 XP client PCs and they all use the internet. These 20 clients are configured in their Network TCP/IP Properties setup to use as the Preferred DNS server the main Server 2003 (first one installed-server A).
Their ALTERNATE DNS server address is one which specifies an ip address that points to the ISP outside of the domain to which they are connected.
Server B has no one explicitly logging into the domain but about 10 users access network shares on that server. In their case, they are not "part of the domain". They merely have an account on the domain where they have to be authenticated to access the network share.
FINALLY MY QUESTION:
Can anyone tell me (based upon my description of the two servers) that by changing the DNS option to "Disable recursion" is likely to affect either or both of those uses. If so, how?
(as you can no doubt tell my knowledge of how DNS works is quite limited).
Thanks in advance of any help...
