的pci scan不能通過，原因查到是我們的ad server冇dns cache probing的問題

我們公司的電腦和server大部分dns也是指向ad server的，trustwave 的建議是停止外部的dns查詢，請問要怎樣做呢?

上網找了很多地方也沒看到相關的方案解決，求助各位高手大大幫幫忙吧，感激!!!

以下為掃描結果原文。

Why and When to Flush Your DNS Cache In Windows

TCP & UDP

Description:
It was possible to receive answers from this DNS server for non-recursive queries for third-party domains. For an attacker, if a DNS answer to the non-recursive query is received, this indicates that a domain has recently been resolved by the DNS server (and, theoretically, other hosts that use the server). No response indicates that the queried domain was not recently resolved. This can allow an attacker to discover domains a queried by other hosts using this server, which might give an indication of web-browsing habits or domains accessed for business purposes.

Remediation:
It is important to restrict who can perform DNS queries, in addition to what is allowed to be queried. If this DNS server is only meant to be recursively queried by internal users for third-party domains, then there is no reason to allow the general internet to also perform queries against it. If the server is meant only to act as a nameserver for specific domains, then recursive queries should be disabled as it is unnecessary for the server to resolve anything other than its own domains. If the server is used for *both* third-party recursive queries in addition to acting as a nameserver for specific domains, then split DNS needs to be implemented (see the references below). Split DNS can be implemented either physically (one DNS server for recursive queries, and another for acting as a nameserver for domains), or through the use of access control lists (acls) in the server's configuration (BIND supports this).