Secure Microsoft DNS?
Trying to setup a Windows domain with a publicly accessible domain name is more difficult than I had expected.
The setup
Setup two servers as domain controllers with DNS installed. Have all the servers in the domain use the domain controllers as their DNS servers, which means recursive DNS is enabled on the domain's DNS servers / domain controllers.
The problem
If the DNS servers are publicly accessible and recursion is enabled, they are a security risk. But if I switch off recusion the servers within the domain can't find anything outside the domain, including security updates.
First try
Change the DNS setting on the servers in the domain to use a properly configured recursive DNS server (non-Microsoft) and switch off recursion on the domain controllers. This didn't work since the new DNS servers did not return the needed SRV records to find the domain controllers. This can be setup but seemed like a lot of work and a fragile setup.
Second try
The domain controllers have recursion switched on, but only respond to servers within the domain's network and the two non-Microsoft DNS servers. The non-Microsoft DNS servers act as secondary DNS. So when a DNS query is done externally, the secondaries respond since the primaries block the external queries. This worked reasonable well, but there were failed and slow DNS queries because the primaries don't responded.
Solution
The solution I have currently is; domain controllers respond to external queries and have recursion switched off. The servers in the domain use two Microsoft DNS, not the domain controllers, which have recursion switched on and do not respond to queries from outside the domain. These new DNS servers also have conditional forwarders setup for the domain's dns name pointing at the domain controllers.
The domain controllers and DNS servers are virtual machines, so the resource usage is not as bad a having four physical servers.
The ideal solution would be that Microsoft fixed their DNS server to allow recursion from defined address ranges.






