I am trying to make our network pass PCI requirements. We have a Zywall USG 20w as our firewall and Windows 2003 DNS servers inside our firewall. I do not need to expose our internal network DNS to the internet, but I do need to allow our internal computers to access external DNS queries, so my internal DNS servers need to use DNS recursion. The error we get from the PCI scan is, "The remote name server allows recursive queries to be performed by the host running nessusd." I would like to disable DNS queries from outside of our firewall. I tried closing port 53 in the firewall (both TCP and UDP are set to deny port 53), but that doesn't seem to do it. Is there a way I can have the Zywall deny incoming recursive dns queries? I've been banging my head against this one for a while now.
~Pat
↧