Skip navigation
Menu
Enable DNS recursion for internal clients only
Security

Enable DNS recursion for internal clients only

Q. How can I enable DNS recursion only for clients on my internal network?

A. DNS recursion is an important feature that enables DNS servers to find resolutions for requests passed to it by clients however it can also be abused as possible denial of service attack. A new feature in Windows Server 2016 is the ability to create a recursion scope to enable recursion only for certain clients, for example users on the internal network while blocking recursion from external clients.

This is actually very simple to do with PowerShell

Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerRecursionScope -Name "InternalSavillTechClients" -EnableRecursion $True
Add-DnsServerQueryResolutionPolicy -Name "RecursionControlPolicy" -Action ALLOW `
-ApplyOnRecursion -RecursionScope "InternalSavillTechClients" `
-ServerInterfaceIP "EQ,10.7.173.10"

This means that any request coming to 10.7.173.10 interface will be treated as internal and then the recursive request honored. You could also use a policy based on the client subnet instead of the servers interface IP.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024