Disable Recursion on the DNS Server
Applies To: Windows Server 2008
By default, the DNS server performs recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion is a name-resolution technique in which a DNS server queries other DNS servers on behalf of the requesting client to fully resolve the name and then sends an answer back to the client.
Attackers can use recursion to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, recursion should be disabled on that server.
Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Disabling recursion on the DNS server
Using the Windows interface
Using a command line
To disable recursion on the DNS server using the Windows interface
Open DNS Manager.
In the console tree, right-click the applicable DNS server, then click Properties.
Where?
DNS/applicable DNS server
Click the Advanced tab.
In Server options, select the Disable recursion check box, and then click OK.
Additional considerations
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.
To disable recursion on the DNS server using a command line
Open a command prompt.
Type the following command, and then press ENTER:
dnscmd <ServerName> /Config /NoRecursion {1|0}
Parameter | Description |
---|---|
dnscmd |
Specifies the name of the command-line tool for managing DNS servers. |
<ServerName> |
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). |
/Config |
Required. Specifies that the command configures the specified server. |
/NoRecursion |
Required. Disables recursion. |
{1|0} |
Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled. |
To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:
dnscmd /Config /help
Additional considerations
To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.