Situation:
Server (Win 2008R2) is being used in a DNS (amplification) DDoS attack. Amplification factor is already down to 1: Set the DNS server to non-recursive and removed all root hints -> DNS replies server failure for non-authoritative domains -> incoming DNS request size EQ outgoing DNS request size.
Still, even without amplification we are still unwillingly participating, if only as a simple deflector (since most likely the destination address has been spoofed to direct the DNS response traffic to the DDoS target).
Question: Is there and if yes, what is, the easiest way to prevent DNS responses for specific domain DNS requests? Reason behind that question is, that all those malicious DNS requests are for the same domain but from varying IPs. So IP blocking is not really that effective.
So how to filter out those DNS requests for specific domains and where (can the DNS server handle this or does that have to be done on the firewall?)?
Best Answer
Is there any particular reason why your server has to answer to external queries at all ?
Ideally, you would setup an external resolver for your public resolver (used to resolve all resources that must be accessed externally: MX, web server, etc), use the windows DNS server only for your internal network and block all incoming DNS queries at your perimeter.
There is one thing, however, that you simply cannot prevent: as soon as you have a DNS server that answers to external queries, even if it's only for your own domain, it can be used in a DNS bounce attack. You can configure it to prevent DNS amplification but not to prevent simple bounces. It shouldn't be a big deal unless you're getting DDoS'ed yourself though.
Edit:
The typical way to setup dns in small(ish) structure is the following: