I received an email from an ISP stating that our server had participated in a DDOS attack against one of their servers--and that we appear to be running an "open recursive resolver".
The IP address they gave is for one of our development servers, which is running WIndows Server 2012 R2. I did some googling and followed these instructions (https://technet.microsoft.com/en-us/library/Cc771738.aspx?f=255&MSPPError=-2147217396) to disable recursion in DNS Manager. My questions are:
Should turning off the recursion option be enough to make sure this does not happen again?
Is it OK to delete the DNS Server on this server? I didn't even know it was apparently installed by default. We use external DNS servers for everything. I would like to keep our attack surface minimal in general.
If I were you I would approach this from the network perspective. Setup a firewall to log to log any traffic to
53/udp and 53/tcp
on the server. Figure out what is using the service.If no one knows why DNS was installed, and you disable it the only way to know if you needed it will be to examine what broke.
As I seen in the comment that the server is used only as a webserver, please allow only the needed port be openned to the server. That move will block the unauthorised use of that DNS.
On small soho firewall many put public server in a open dmz, but with an advanced firewall its more wise to make a public vlan for the server and forward only the required port, like http/https for your case.