Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, August 23, 2013 5:33 PM
Hi there,
My security department indicate that our windows server should be "disable recursion". When I disabled the "disable recursion (also forwarders). Our DNS server can resolve the external domain name (internet domain). Is there any solution for this?
Thanks,
stephen
All replies (6)
Tuesday, August 27, 2013 5:39 PM âś…Answered
The issue is that your DNS server is publically available. In that case, recursion should be disabled. This is why split-horizon dns is used. The publically accessible dns server has recursion disabled and will only answer requests for its authoritative domain. Internally, a different dns server is used which isn't externally accessible and has recursion enabled.
http://en.wikipedia.org/wiki/Split-horizon_DNS
Saturday, August 24, 2013 6:54 AM
what is the target goal?
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.
Monday, August 26, 2013 5:54 AM
Hi,
DNS recursion mean DNS will not query any other DNS server apart from its own cache or information available within its local DNS server. If you disable recursion in DNS, then your local DNS server might not resolve queries send to the external websites or the website it has no information in its server or cache.
http://technet.microsoft.com/en-us/library/cc775637%28v=ws.10%29.aspx
Regards,
Yan Li
Cataleya Li
TechNet Community Support
Monday, August 26, 2013 1:58 PM
what is the target goal?
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.
The problem is that there will be a risk reported by Shadowserver.org. This is why our security want to "disable recursion". My problem is that I cannot access external domain once I disable recursion. The UNIX side can only disable recursion. I am not sure whether there is a better solution for Windows DNS server?
Thanks,
stephen
Tuesday, August 27, 2013 5:17 AM
In the first thread you said that your DNS is still able to resolve external domain name and now you report that you cannot resolve. We need more details about your goal.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.
Tuesday, August 27, 2013 3:59 PM
Yes, my DNS still can resolve external domain now. However, if I enable " disable recursion (also disable forwarders)" option, then my DNS cannot resolve the external DNS.
stephen