By default, the DNS server performs recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion is a name-resolution technique in which a DNS server queries other DNS servers on behalf of the requesting client to fully resolve the name and then sends an answer back to the client.

Attackers can use recursion to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, recursion should be disabled on that server.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Disabling recursion on the DNS server

To disable recursion on the DNS server using the Windows interface
  1. Open DNS Manager.

  2. In the console tree, right-click the applicable DNS server, then click Properties.

    Where?

    DNS/applicable DNS server

  3. Click the Advanced tab.

  4. In Server options, select the Disable recursion check box, and then click OK.

Additional considerations

  • To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  • If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.

To disable recursion on the DNS server using a command line
  1. Open a command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd <ServerName> /Config /NoRecursion {1|0}
    

Parameter Description

dnscmd

Specifies the name of the command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/Config

Required. Specifies that the command configures the specified server.

/NoRecursion

Required. Disables recursion.

{1|0}

Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled.

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:

dnscmd /Config /help 

Additional considerations

  • To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  • If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.

Additional references