As suggested in the Server Manager forum, I try my luck in this forum.
I have a Win2008R2 Server with DNS services installed. The server is configured not to allow recursive queries from clients.
However when sending such a query, the server sends back a list of root hints as response. While the shortest possible query is 45 bytes long, the corresponding answer is 476 bytes long. A similarly configured Bind server just refuses the query, with the reply packet being the same size as the query packet (ie both 45 bytes).
In a DNS amplification attack scenario, this translates to an amplification factor of (476/45)=10.6 for a Windows server even with recursion disabled, as opposed to a factor of 1 for the Bind server.
Is there any way to make the Win2008R2 server refuse recursive queries altogether and thus prevent it from serving as an "amplifier" in such scenarios?