Configuring Internal-Only DNS Resolution on Windows DNS Server

By /

Listen to this Post

If you have devices that need to resolve INTERNAL DNS addresses but should not resolve public internet DNS addresses, you can configure a Windows DNS server to operate in internal-only mode. This ensures devices only resolve local network resources while blocking public DNS queries.

Key Steps to Configure Internal-Only DNS:

1. Remove DNS Forwarders:

  • Open DNS Manager (dnsmgmt.msc).
  • Right-click the server name → Properties → Forwarders tab.
  • Delete any listed forwarders (e.g., Google’s 8.8.8.8, Cloudflare’s 1.1.1.1).

2. Disable Root Hints:

  • Go to the Root Hints tab.
  • Remove all root servers.
  • Uncheck “Use root hints if no forwarders are available”.

3. Configure Clients to Use Internal DNS:

  • Set device DNS settings to only point to the internal DNS server (e.g., 192.168.1.10).
  • For DHCP scope configuration: 
    Set-DhcpServerv4OptionValue -ScopeId 192.168.1.0 -DnsServer 192.168.1.10

4. Block External DNS at Firewall:

  • Prevent devices from bypassing internal DNS by blocking outbound UDP/TCP port 53 (except from the DNS server itself).
  • Example PowerShell command to block external DNS: 
    New-NetFirewallRule -DisplayName "Block External DNS" -Direction Outbound -Protocol UDP -RemotePort 53 -Action Block

You Should Know:

  • Verify DNS Resolution:
  • Test internal resolution: 
    nslookup internal-server.example.com 192.168.1.10
  • Confirm public DNS fails: 
    nslookup google.com 192.168.1.10
  • For VPN Users:
  • Disable split tunneling to force all traffic (including DNS) through the VPN.
  • Example OpenVPN directive: 
    push "dhcp-option DNS 192.168.1.10"
push "block-outside-dns"
  • Secure DNS Updates:
  • Use DNSSEC to prevent spoofing: 
    Set-DnsServerGlobalNameZone -EnableDNSSEC $true

What Undercode Say:

This method is ideal for SCADA systems, air-gapped networks, or restricted workstations. However:
– Limitation: Devices can still access the internet via IP addresses if the gateway allows it.
– Enhanced Security: Combine with:
– Firewall rules to block all outbound DNS except from authorized servers.
– DNS logging to monitor queries: 

Set-DnsServerDiagnostics -All $true

– Linux Alternative: Use `dnsmasq` for internal DNS: 

sudo apt install dnsmasq
echo "server=/internal.example.com/192.168.1.10" | sudo tee -a /etc/dnsmasq.conf
sudo systemctl restart dnsmasq

– For Hybrid Environments: Consider conditional forwarding for split DNS.

Expected Output:

A locked-down DNS server that only resolves internal addresses, with logs confirming no public DNS leaks.

Reference: Microsoft DNS Configuration Guide

References:

Reported By: Charlescrampton If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: