Enable DNS recursion for internal clients only

Q. How can I enable DNS recursion only for clients on my internal network?

A. DNS recursion is an important feature that enables DNS servers to find resolutions for requests passed to it by clients however it can also be abused as possible denial of service attack. A new feature in Windows Server 2016 is the ability to create a recursion scope to enable recursion only for certain clients, for example users on the internal network while blocking recursion from external clients.

This is actually very simple to do with PowerShell

Set-DnsServerRecursionScope -Name . -EnableRecursion $FalseAdd-DnsServerRecursionScope -Name "InternalSavillTechClients" -EnableRecursion $TrueAdd-DnsServerQueryResolutionPolicy -Name "RecursionControlPolicy" -Action ALLOW `-ApplyOnRecursion -RecursionScope "InternalSavillTechClients" `-ServerInterfaceIP "EQ,10.7.173.10"

This means that any request coming to 10.7.173.10 interface will be treated as internal and then the recursive request honored. You could also use a policy based on the client subnet instead of the servers interface IP.