Home / server / Questions / 713102
In Process
Param
Asked: 2015-08-11 06:51:59 +0800 CST

Should i disable DNS recursion?

  • 772

I have two Domain Controller, both are DNS server and i have set Forwarder for both ( as per below Print-screen )

enter image description here

but i have not disable recursion on both server ( please see below print-screen )

enter image description here

there is one recommendation to disable DNS recursion. I think if i disable DNS recursion it will affect performance, but i also want to have best security placed. Please let me know what should i do? should i disable DNS recursion?

domain-name-system

3 Answers

  1. Depends on the needs of your business. If you have clients connecting to this DNS server and asking it for names that are not on your network, such as google.com, facebook.com, yahoo.com, whitehouse.gov, etc... since your DNS server is not authoritative for those domains you must use Recursion or else name resolution will fail for external domain names not hosted on your DNS server. Most work places do allow internet access, however, if you are in a very tightly-controlled network (in which case if you need extraordinary security you shouldn't be connected to the internet anyway,) disabling recursion will prevent name resolution of names that your DNS server is not authoritative for. Also worth noting that if you disable recursion, then there's no point in adding forwarders as they will not be used. (Root hints also will not be used if recursion is disabled.)

    • 5

  2. In most cases:

    Bad:

    1. Recursive name server available publicly.

    Fine:

    1. Name server for specific domains available publicly.
    2. Recursive name server available privately (local network).

    To make sure a recursive name server is not available publicly I would suggest making the DNS server/service only listen on private addresses and traffic sent to the DNS port (53) from any public interface is blocked. Doing both makes sure a single accidental configuration change won't make it publicly accessible.

    • 1

  3. Unless you NEED to use forwarders, you should not. It is best to let your DC's resolve internal and External. This will give you the best performance. The only reason(s) you would want to have forwarders is if you only have one DNS server, You have security requirements that are very strict, your DC does not have Internet connectivity, or your DNS servers are overworked. If you do not use forwarders your DC's will use the ROOT domain server records to resolve (DC Internet connection required)

    You should NOT set a forwarder for each of your DC's to point to each other. Your clients should list both DNS servers in their IP config. If they do, the client will find them. If they do not, you should fix configuration so both DNS servers are listed in your client config (Ipconfig /all)

    • 0