VIRTUAL SERVERS FOR BUSINESS

UA EN
0800 31 01 69 Free within Ukraine
+38 096 919 28 99
Kyivstar
+38 095 919 28 99
Vodafone
+38 093 919 28 99
Lifecell
+38 044 451 73 87
Kyiv
+38 048 771 73 87
Odesa

Blog

Blog

How to close open DNS resolvers on Windows Server 2022

16.01.2025 Reading ~5 min Author: Admin

Open DNS resolvers can become a target for attackers who use them for DDoS attacks or other cyber threats. Below is a step-by-step guide to closing open DNS resolvers on Windows Server 2022.

1. Check DNS Server Configuration

First, check if the server is configured to only process requests from trusted clients (e.g., from the local network):

  1. Launch PowerShell as an administrator.
  2. Run the command: Get-DnsServerRecursion
  3. In the output, find the EnableRecursion parameter:
    • True — recursive queries are allowed (needed for the internal network).
    • False — recursive queries are disabled (recommended for external servers).

2. Restrict Access to the DNS Server

Allow access only from specific IP addresses:

Via DNS Manager:

  1. Open DNS Manager (command: dnsmgmt.msc).
  2. Right-click on the server name → Properties.
  3. Go to the Interfaces tab.
  4. Select the option Only the following IP addresses and add the IP addresses of trusted clients.

Via PowerShell:

Set-DnsServerSetting -ListenAddresses "127.0.0.1","192.168.1.1"

Replace 127.0.0.1 and 192.168.1.1 with your network's IP addresses.

3. Disable Recursive Queries

Recursive queries allow the server to look up answers from external DNS servers. If not needed:

Via DNS Manager:

  1. Open the server properties.
  2. On the Advanced tab, uncheck the Enable recursion box.

Via PowerShell:

Set-DnsServerRecursion -Enable $false

4. Configure the Firewall

Block access to port 53 from unknown IP addresses:

Via Windows Defender Firewall:

  1. Open Windows Defender Firewall with Advanced Security.
  2. Create a new inbound rule.
  3. Specify PortUDP and TCP → port 53.
  4. Allow access only for trusted IP addresses.

Via PowerShell:

New-NetFirewallRule -DisplayName "Allow DNS from Trusted IPs" -Direction Inbound -Protocol UDP -LocalPort 53 -RemoteAddress 192.168.1.0/24 -Action Allow
New-NetFirewallRule -DisplayName "Block DNS from Untrusted IPs" -Direction Inbound -Protocol UDP -LocalPort 53 -RemoteAddress Any -Action Block

5. Verification

After configuration, test the server's availability:

  • Use online tools, e.g., Open Resolver Test.
  • Check locally via PowerShell: nslookup example.com

Requests from unknown IP addresses should be blocked.

By following these steps, you will close your DNS server to external threats and reduce the risk of abuse. This is a basic but important measure to protect your network.

Додані посилання:

© - Всі права захищені

користувачів онлайн: