For about a week our internet connection was coming to a crawl. I searched and searched and couldn’t put a finger on what was causing the problem. Then for some reason I decided to run our domain through dnsreport.com’s excellent domain checking website.
What I found was we were getting a failure on the Open DNS servers section. What the heck does this mean, I thought. We’ve run our own DNS servers for several years that are both authoritative for our domain as well as answering dns requests for the clients on our network.
Here’s what dnsreport.com says about open dns servers “Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack.”
Our DNS servers are Windows Server 2003 using the built in DNS software from Microsoft. To close a Microsoft DNS server you have to disable recursion. To do this do the following: (keep reading before you actually do this though.)
- Open DNS.
- In the console tree, right-click the applicable DNS server, then click Properties.
- Click the Advanced tab.
- In Server options, select the Disable recursion check box, and then click OK.
Ok, great, now our DNS servers are not open servers and sure enough our internet connection is working much better. However, now my clients on the inside are having problems getting to websites on the internet. Why is this? Well, by disabling recursion you also disable forwarding and forwarding is needed for my clients DNS requests to get answered. What now?
After some research I find out that Microsoft DNS server can’t do forwarding without recursion and that most people recommend using Bind (which I found to be un-friendly.) I did some more searching and found a DNS server software called Simple DNS Plus and the short version is, I love it! I installed it, shut down the Microsoft DNS service on one of my DNS servers, imported DNS records from one of the other servers and it was up and running. Then I went to the other server and did the same process. This software does a great job, it allows forwarding without the recursion so my DNS servers are no longer open and my internet connection is working great. It has great monitoring and other features like automatic IP blocking for address that try to flood the DNS server. Another great thing about this software is the price. The license is $79 for up to 5 zones which is perfect for us.
Simple DNS Plus has been running for a week now and it’s working great!