When I allow Remote Requests on DNS I fail a PCI scan for the following:
DNS Cache Probing
It was possible to receive answers from this DNS server for non-
recursive queries for third-party domains. For an attacker, if a DNS
answer to the non-recursive query is received, this indicates that a
domain has recently been resolved by the DNS server (and,
theoretically, other hosts that use the server). No response indicates
that the queried domain was not recently resolved. This can allow an
attacker to discover domains a queried by other hosts using this
server, which might give an indication of web-browsing habits or
domains accessed for business purposes.
If i turn it off my internal users cannot get DNS resolution. How can I make this work so I dont have to give everyone in my network a static IP address and static DNS from the ISP?