Enable DNS recursion for internal clients only

Enable DNS recursion for internal clients only

Q. How can I enable DNS recursion only for clients on my internal network?

A. DNS recursion is an important feature that enables DNS servers to find resolutions for requests passed to it by clients however it can also be abused as possible denial of service attack. A new feature in Windows Server 2016 is the ability to create a recursion scope to enable recursion only for certain clients, for example users on the internal network while blocking recursion from external clients.

This is actually very simple to do with PowerShell

Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerRecursionScope -Name "InternalSavillTechClients" -EnableRecursion $True
Add-DnsServerQueryResolutionPolicy -Name "RecursionControlPolicy" -Action ALLOW `
-ApplyOnRecursion -RecursionScope "InternalSavillTechClients" `
-ServerInterfaceIP "EQ,"

This means that any request coming to interface will be treated as internal and then the recursive request honored. You could also use a policy based on the client subnet instead of the servers interface IP.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.