I have a windows 2008 server, which run a dns server for webs sites run on this server. I have report that our server used for an DNS Amplification Attack.
in logs I see many queries bout isc.org.
How can setup my windows dns server to only response to query about local sites?
I remove all root hints, and forwards, but still it received and response to query about isc.org
DNS Amplification Attack – How to Prevent
domain-name-systemwindows-server-2008
Related Topic
- Firewall – Prevent DNS responses for specific domain completely
- IIS: DNS Server Spoofed Request Amplification DDoS
- Force a Windows Server 2008 DNS Conditional Forwarder to use TCP Only
- DNS: Root hint server 2001:500:1::803f:235 must respond to NS queries for the root zone
- I don’t know why does this packet come in : dns response 127.0.0.1
- Iptables – block DNS Amplification Attack by iptables
Best Answer
OK - first things first: Either firewall your server so people outside your organization can't access it, or disable recursion:
(Chris posted a handy picture of the page and the option you want to enable)
Do this now.
Now that you are no longer actively breaking the internet you can read about DNS amplification attacks, how they happen, why they're bad, and some of the things you can do to prevent being a pawn in them.
You may also want to read this Technet article about DNSSEC and DNS Amplification attacks which includes some informative references.
You can then determine how best to prevent your server from being used in such attacks.
Typically you will do this by only answering recursive queries for a known group of hosts (your internal machines), but other options exist as well.