Preventing DNS Amplification Attacks via the Windows Firewall in Windows 2008 R2 or Windows 2012

This article will address how to prevent a DNS amplification attack when using Windows DNS Server installed on Windows Server 2008 R2 or Windows 2012 cloud server. For more information about a DNS amplification attack, please see the following link:

Once DNS is installed and the service is running, you can verify that the DNS server is allowing for an amplification attack by using either the “dig” command or the “nslookup” command. To verify using dig please use the following command: {dig @IPAddressofYourServer FQDNOfWhateverSite} (for the nslookup command, please see the example below). Here are two examples of how a DNS amplification attack would look using either command:

Now that you have verified that the DNS server is an configured as an open DNS resolver, all you need to do is modify the DNS TCP/UDP Incoming firewall rules à Scope tab and add any other cloud server’s IP addresses under the “Remote IP Address” section as pictured below:

Important: If you are joining other servers to a Windows Active Directory domain, you will need to make sure that you are adding the other cloud server’s IP addresses to the “Remote IP Address” section. If you don’t, the other cloud servers will not be able to connect to the DNS server and will fail to join Active Directory.

Once the firewall rules are in place for TCP and UDP, you should be able to run the same test from above and see that the server is no longer able to resolve for the FQDN. Below are the results from both the “dig“ command and the “nslookup” command:

Congratulations on setting up a secure Windows DNS Server that does not allow for a DNS amplification attack!

© 2015 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License

See license specifics and DISCLAIMER