Enable DNS recursion for internal clients only

Configure DNS recursion for internal clients only

John Savill

April 17, 2017

1 Min Read
Enable DNS recursion for internal clients only

Q. How can I enable DNS recursion only for clients on my internal network?

A. DNS recursion is an important feature that enables DNS servers to find resolutions for requests passed to it by clients however it can also be abused as possible denial of service attack. A new feature in Windows Server 2016 is the ability to create a recursion scope to enable recursion only for certain clients, for example users on the internal network while blocking recursion from external clients.

This is actually very simple to do with PowerShell

Set-DnsServerRecursionScope -Name . -EnableRecursion $FalseAdd-DnsServerRecursionScope -Name "InternalSavillTechClients" -EnableRecursion $TrueAdd-DnsServerQueryResolutionPolicy -Name "RecursionControlPolicy" -Action ALLOW `-ApplyOnRecursion -RecursionScope "InternalSavillTechClients" `-ServerInterfaceIP "EQ,10.7.173.10"

This means that any request coming to 10.7.173.10 interface will be treated as internal and then the recursive request honored. You could also use a policy based on the client subnet instead of the servers interface IP.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like