With regards to Windows Servers, and the DNS Service operating on them. I'm absolutely surprised that this still is on-going within the DNS Service
and doesn't allow anything but to simply disable recursion entirely.
Microsoft has a lot of server based systems that are running on the internet from all the clients that you have. The biggest issue is that you can't simply restrict recursion request ( nslookup microsoft.com) to the localhost.
It should be by DEFAULT to have this option enabled since recursion is enabled by default to restrict any queries that are not authoritative zones on the windows DNS Server to just the localhost of the server itself.
There are a large amount of companies out there that are deploying window servers mainly in data centers that are not configured correctly. More likely simply due to the fact that windows is easy to operate and most of the administrators don't
even think of this to be an issue.... However it's well beyond a little or non-issue.
BIND(ISC) has the ability to do this why doesn't Microsoft's DNS Server?
This shouldn't be more than a simple security patch that can be deployed with windows updates. It would close a lot of open recursion dns servers that are used maliciously more likely unknowingly to the server operators.
Please let me know if there's someone within Microsoft that can bring this to the attention of the proper personal.
Thanks,
Dejan Dan Protich
Sr. Network Engineer
HiVelocity Hosting