Introduction
Configuring and managing a DNS server in Windows Server involves implementing various features and settings to enhance its security, performance, and functionality. In this guide, we explored several important aspects such as Response Rate Limiting, Selective Recursion Control, Query Filtering, Upward Referral Responses, DNS Socket Pool, DNS Server Cache Locking, Zone Level Statistics, Event Logging, Debug Logging, DNS Server Monitoring, and Performance Tuning.
Response Rate Limiting
As DNS Clients cache responses, any client that repeatedly asks for the same name in a short period of time is likely malicious
RRL settings allow you to configure how a DNS server responds to repeated queries for the same record over a short period of time
Response rate limiting is disabled by default on Windows Server 2016 DNS
Response rate limiting is configured using the Set-DNSServerResponseRateLimiting cmdlet
| Name | Function |
| ResponsesPerSec | Maximum number of times server sends same response per second. Default 5 |
| ErrorsPerSec | Maximum number of times server sends error response to per second. Default 5 |
| WindowInSec | Responses per sec averaged over window length to trigger RRL. Default 5 seconds |
| IPv4PrefixLength | IPv4 subnet size for monitoring queries. Default 24 bit |
| IPv6PrefixLength | IPv6 subnet size for monitoring queries. Default 56 bit |
| LeakRate | Response rate to RRL blocked subnets. O:No response. Default 3 means 1 query answered in 3. Values:O,2–10 |
| TruncateRate | Truncated response rate to RRL blocked subnets |
| MaximumResponsesPerWindows | Maximum responses in windows to RRL blocked subnets in event of large attack. Default 1024 |
| Mode | Enable, Disable, Log Only |
Selective Recursion Control
A DNS server that supports recursion will resolve queries on behalf of clients
When recursion is disabled, the DNS server will only respond to queries for names where the DNS server hosts the relevant zone
Allow the DNS server to resolve queries recursively for some clients, without the DNS server being an open resolver for all clients
Use to allow recursion for internal clients, but disallow for external clients
Manage using:
— Set-DNSServerRecursionScope
— Add-DNSServerRecursionScope
— Add-DNSServerQueryResolutionPolicy
Response Rate Limiting Exceptions
Configure exceptions to RRL policies for known subnets or interfaces
— Exempt internal network interface from RRL policies
— Exempt specific subnets from RRL policies
Configure using:
Add-DnsServerResponseRateLimitingExceptionList
Query Filtering
You can filter queries using DNS policies
You can configure policies to:
— Block queries for a specific domain
— Block queries from a specific subnet
— Block queries for specific record types
— Allow queries only for specific subnets
— Allow queries only from specific subnets
— Allow queries only for specific record types
Create policies using
— Add-DNSServerQueryResolutionPolicy
Upward Referral Responses
Prior to Server 2012 R2, Windows DNS servers recursion disabled responded with upward referral responses with a list of name servers in the response’s “additional” section
This makes DNS server susceptible to DNS amplification attack
Windows Server 2016 DNS servers with recursion disabled will respond with SERV_FAIL messages
Clients are almost always aware of root server addresses, so this has minimal impact on legitimate traffic
DNS Socket Pool
Enables DNS server to use source port randomization when issuing DNS queries
Protects against cache poisoning attacks
Enabled by default on Windows Server 2016
Can be configured using dnscmd.exe or by editing the registry
DNS Server Cache Locking
Configure whether information in DNS server cache can be overwritten
— DNS servers will respond with entries in cache up to record TTL
— Attackers can poison cache by overwriting cache records
— Cache locking determines what percentage of record TTL cached record cannot be overwritten
Set-DnsServerCache -LockingPercent
Zone Level Statistics
Provide information on
— Server wide statistics
— Zone transfer statistics
— Packet statistics
— Record statistics
— DNSSEC statistics
$statistics = Get-DNSServerStatistics -ZoneName microsoft.com
$statistics.ZoneTransferStatistics
$statistics.ZoneQueryStatistics
$statistics.ZoneUpdateStatistics
View Zone Level Statistics
Write zone statistics to a variable and then query the variable
Event Logging and Event IDs
Audit events are logged each time
— DNS server setting is changed
— DNS zone setting is changed
— DNS resource record is changed
DNS Audit Events
| Event ID | Type |
| 513 | Zones delete |
| 514 | Zone updated |
| 515 | Record creates |
| 516 | Record deletes |
| 521 | Record scavenges |
| 522 | Zone scopes create |
| 523 | Zone scopes delete |
| 537 | Forwarder reset |
| 540 | Root hints modification |
| 551 | Clear statistics |
| 559 | Pause zone |
| 560 | Resume zone |
| 564 | Update from AD DS |
| 573 | Add delegation |
| 578 | Create zone policy |
| 579 | Create forwarding policy |
| 580 | Delete server policy |
| 581 | Delete zone policy |
| 582 | Delete forwarding policy |
Debug Logging
Debug log allows you to record packet and transport information
Configure on the Debug Logging tab of DNS server properties
Disabled by default
DNS Server Monitoring
Allows you to verify from the DNS console that the DNS server is responding to queries
Can also perform recursive test query when recursion is enabled
Can be configured to automatically test simple and recursive queries on an interval
DNS Server Performance Tuning
Disable recursion
Create explicit firewall rule for UDP port 53 for interface IP address
Reduces firewall CPU usage
On computers with more than 12 cores, set UDP thread count to 8
HKLM\System\CurrentControlSet\Service\DNS\Parameters\UdpRecvThreadCount
Set network adapter buffers to maximum
Set-NetAdapterAdvancedProperty -Name <NIC> -DisplayName “Receive Buffers” -DisplayValue “Maximum”
Conclusion
Configuring and maintaining a DNS server in Windows Server involves implementing various features and settings to enhance security, performance, and functionality. By utilizing Response Rate Limiting, Selective Recursion Control, Query Filtering, and other mechanisms, administrators can ensure the DNS server operates efficiently and securely, mitigating potential threats and optimizing DNS traffic. Monitoring and fine-tuning the server’s performance further contribute to its reliable operation and smooth resolution of DNS queries. Overall, implementing these best practices and features enhances the DNS server’s functionality and helps ensure a stable and secure DNS infrastructure.
