How to Disable Recursion on a Windows DNS Server

Note: If your server has a legitimate need to perform DNS recursion (example - you have applications that need to resolve external DNS), you can alternately disable and/or scope the local Windows Firewall rule that allows incoming DNS requests.  

Windows 2003:  Uncheck or remove any rules for DNS, DNS.exe or exceptions for port 53.
Windows 2008 and higher:  You'll want to disable or scope both DNS TCP and DNS UDP rules.

 

To disable DNS Recursion in Windows DNS:

 

  1. Open DNS Manager (To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.)

  2. In the console tree, right-click the applicable DNS server, then click Properties.

  3. Click the Advanced tab.

  4. In Server options, select the Disable recursion check box

  5. Under the Root Hints tab, delete all root hints entries, and then click OK.

  6. Restart the DNS service (from the Services control panel)

 

 

 

How to disable recursion:

Disable DNS Recursion

 

How to delete root hints:

Delete Root Hints

 

 

For further reading:

 
http://technet.microsoft.com/en-us/library/cc771738.aspx

 

Why DNS Recursion should be disabled for public access:

http://www.computerworld.com/s/article/9232892/Open_DNS_resolvers_increasingly_abused_to_amplify_DDoS_attacks_report_says

http://www.us-cert.gov/ncas/alerts/TA13-088A

http://openresolverproject.org/

Add Feedback