Disable Recursion on the DNS Server

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

The following procedures provide instructions that you can use to disable recursion on a DNS server.

Recursion is a name-resolution technique in which a DNS server queries other DNS servers on behalf of the requesting client to fully resolve the name and then sends an answer back to the client. By default, the DNS server performs queries on behalf of DNS clients and DNS servers that have forwarded DNS client queries to it.

DNS servers that allow recursion are more vulnerable to denial of service attacks. If a DNS server is not intended to perform recursive queries, you can enhance security by disabling recursion on that server. You should only disable recursion on a DNS server if it is not used for name resolution, or it is only required to provide authoritative DNS responses. When you disable recursion on the DNS server, you cannot use server-level forwarders on the same server.

Warning

Do not disable recursion on a DNS server if it is used by other DNS servers for server-level forwarding, or if DNS client computers use it for name resolution.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Disabling recursion on the DNS server

  • Using the Windows interface

  • Using a command line

To disable recursion on the DNS server using the Windows interface

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, click the name of the DNS server you wish to configure.

  3. On the Action menu, click Properties.

  4. On the Advanced tab, under Server options, select the Disable recursion (also disables forwarders) check box, and then click OK.

To disable recursion on the DNS server using a command line

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd <ServerName> /Config /NoRecursion {1|0}
    
Parameter Description

dnscmd

Specifies the name of the command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

/Config

Required. Specifies that the command configures the specified server.

/NoRecursion

Required. Disables recursion.

{1|0}

Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled.

Tip

To view the complete syntax for the dnscmd /Config command, type the following at a command prompt, and then press ENTER: dnscmd /Config /help.

See Also

Concepts

Checklist: Implementing a Secure DNS Configuration