We find that our DCs with MDI installed that act as DNS servers attempt to perform NNR on all the Root name servers they contact for name resolution. There really needs to be a mechanism in MDI to restrict NNR to a set of CIDRs. As most people use the RFC 1918 networks for internal hosts it would be good have it auto populated with those and then users can enter public IP ranges that they need for their edge servers. Make it a configurable item in the Defender for Identity settings on the portal.
