Open DNS Server Q

Posted on 2007-10-02
Last Modified: 2010-05-18
We have a number of W2003 servers and host our own DNS.  I went to and ran a report on it.  It indicated a FAIL message:

ERROR:  One or more of your name servers reports that is is an open DNS server.  Blah, blah, blah.

To corrent this problem, it instructed me to go into the DNS server manager and check the advanced option "Disable Recursion" so I did.

The entire Exchange outbound queue stalled saying it couldn't resolve DNS for any of the domains it was trying to send to.  I'm confused by this.  The exchange server is also a secondary DNS server for the domain.  The AD master roles and primary DNS are held by a server inside the firewall.  The server's TCP/IP properties specify the master and another secondary (not itself) for its DNS servers.

Why would this Exchange server not be able to resolve DNS queries when recursion is disabled and why is this a good idea?

Question by:tomrwilson
    LVL 30

    Expert Comment

    Is your DNS server configured with a forwarder?  If not, after you disabled recursion you would no longer be able to resolve any DNS records other than those hosted on your local server.  DNS requires either recursion or a forwarder to be able to resolve non-local queries - a forwarder is more efficient if you have one available, as the DNS server will simply send a query to the forwarder for anything that it can't resolve locally.

    Author Comment

    Thanks for the reply.

    Yes, I'm using two forwarder addresses supplied by our ISP.  All that makes sense, I'm just curious, why would DNS reports tell me to disable recursion in the first place?  Is it possible to emply recursion without the DNS server being considered "open"?

    Author Comment

    Oh crap, my forwarders are unreachable.  That explains it.  I'll be back.
    LVL 30

    Accepted Solution

    > "why would DNS reports tell me to disable recursion in the first place"

    It's a best practice for smaller networks and/or corporate networks to streamline/minimize network traffic - your ISP's DNS servers are there for a reason.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    This video discusses moving either the default database or any database to a new volume.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now