Link to home
Start Free TrialLog in
Avatar of Nitin Pandey
Nitin PandeyFlag for Australia

asked on

Recommendations for disabling DNS Recursion

Hi Team,

This could be a very basic question to ask, but I wanted to be sure before making any changes.

Security Audit recommends to disable DNS Recursion from both internal AD Integrated DNS Servers. I checked this option and found it stating Disable recursion (also disables forwarders).

My understanding on how domain joined workstations / servers gets Internet DNS resolution is via Forwarders configured on DNS Servers. So, if I disable DNS Recursion, how are domain joined machines getting Public DNS resolution?
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I'm pretty much agreeing with David, unless they're referring to the server being an open resolver available from the internet, meaning anyone on the internet could use it as their DNS server, in which case you would want to block that.  It doesn't sound like that's what they're referring to though...
If the DNS server in question is publically available, then that’s the case and DNS Recursion should be disabled, but the DNS forwarding will be also disbable on the DNS server.

there are two appoarches for the solution.

1. a split-horizon dns design is required. then the publically accessible dns server has recursion disabled and will only answer requests for its authoritative domain. Internally, a different dns server is used which isn't externally accessible and has recursion enabled.

2. if this is the only DNS server shared by both internal and external users, a DNS policy, specially DNS Recusion policy, should be applied on the DNS server. of course, DNS forwarding will be still enabled on the server. see below the detailed instructions from an official blog article.

Configuring a Recursion Policy

In the DNS policy, we need to reference the Recursion Scope using the -ApplyOnRecursion and -RecursionScope parameters. Consider the following example:

Add-DnsServerQueryResolutionPolicy -Name “InternalClientRecursionPolicy" -Action ALLOW -ApplyOnRecursion -RecursionScope "InternalRecursion" -ServerInterfaceIP  "eq,192.168.1.1“


https://blogs.technet.microsoft.com/tip_of_the_day/2017/03/24/tip-of-the-day-dns-recursion-policies/
Avatar of Nitin Pandey

ASKER

Thanks guys. This was really helpful.

These are basic setup AD Integrated Internal DNS Servers, serving Internal DNS resolution via Zones and external DNS resolution via Forwarders.

I will pass on the feedback to override the Security Audit.