We are getting a notice from our ISP that we could be an object for attacks due to an Open DNS Resolver because of our current configuration. It seems as if our DNS Server on the TMG 2010 Firewall is also resolving, or at least contributing in the process to resolve, incoming requests for names/adresses that are not defined in our Forward Lookup Zones. If I perform a DNS test on one of the multiple IP adresses facing the internet to resolve microsoft.com, our firewall responds to the client it self...
Does anyone know how we can prevent all external DNS requests for other adresses, than those we have defined in our Forward Lookup Zones, to be resolved on our Firewall?
Current config:
TMG 2010 is our external firewall which has DNS Server installed. One internal NIC and one external NIC. The DNS has several Forward Lookup Zones that publishes our own adresses and that resolves all incoming requests from any external clients towards the adresses and aliases in these FL Zones. Internal NIC has this config: own IP-address, subnet mask, internal DNS servers (not the DNS Server installed on the TMG 2010). External NIC has this config: all own IP addresses, subnet mask, gateway (ISP), ISP's DNS Servers.
Firewall Policy: DNS Server, From: External (all), To: TMG internal NIC address (not the external NIC's IP addresses)
Our internal DNS Server on a DC is configured with the TMG internal NIC as Gateway, a 2nd DNS server as optional DNS server. This DNS Server hosts only internal Forward Lookup Zones for computers, servers and services.
I have tried to include all relevant information to this issue. If more is needed I will add this on request.
Thanks for any replies/tip on how to prevent external DNS requests to our TMG 2010 not to answer unless the request involves the Forward Lookup Zones we have configured.
//John
