Potential Security Issue:-
DNS Server Allows Recursive Queries
My recommendation:-
After investigation there are no issues with removing root hints and only allowing forwarding to xxinsertcompanynamexx DNS servers. Of course this would still mean recursive queries occur because forwarders cannot be listed if recursion is disabled. DNS will check forwarders first but then have no hints to use for iterative queries on the public network.
Recommend no change.
This server is only used for lookup for one paticular company as part of required services. It was recommended by my manager to remove root hints, but in effect this wouldnt make any difference because the server would still make recursive queries to the listed forwarders on the DNS server. I hope I have explained this well enough.
I have checked
Microsofts DNS hardening papers and see no security issues with current implementation. Can't do much more than that.
Anyone else have to look at issues like this, btw did I mention i hate penetration tests and I hate companies whos names begin with I and end with M (there is a B inbetween).
Cheers,