1

I have a Windows Server 2008 R2 server which is hosting a public website. I recently deactivated "DNS Recursion" for security options trough the following method:

In the properties of my DNS server in the "Advanced" tab under server options I check the option: Disable recursion.

Now I have the problem, that DNS Names are not resolved locally. So I cannot open google.com or microsoft.com nor anything else.

Now I found out that I have to configure a split DNS configuration, such that I have:

  • One Zone which only answers lokal DNS queries and allows recursion
  • One Zone which only answers external DNS queries and does not allow recursion.

My current setup looks like this:

Microsoft Server 2008 R2: DNS Server structure

I have a server named WIN-FOOBAR and a domain named foo.bar.com, so there are two entries _msdcs.foo.bar.com and foo.bar.com.

Now I have two questions:

  1. If I disable recursion in the server options (e.g. in the parent node named WIN-FOOBAR), then how can I have two zones where one allows recursion and one that does not? The Forward-Lookupzone entry is a child node of WIN-FOOBAR. But I did not see an option to disable recursion for individual zones.

  2. How should I name the second zone, which is used internally? The current zone is foo.bar.com, can I create a second zone and also name it foo.bar.com as well or must it be named differently? If I name it for example foo.local, can it still resolve queries to foo.bar.com?

lanoxx
  • 292
  • 1
  • 4
  • 12

2 Answers2

4

Recursion is a server setting, not a zone setting.

If the DNS server is only accessible to and only used by internal clients then you can leave recursion enabled.

If the DNS server is for your public domain name/zone and is not used by internal clients then you can disable recursion altogether and you don't need to do anything more than create a zone for your public domain name and make sure that you have the proper NS records registered at your Registrar.

If the DNS server is both used by internal clients and hosts your public DNS zone then you're doing it wrong and you should separate the two.

In addition, the presence of the _msdcs zone tells me this server is the DNS server for your AD domain, in which case I would strongly suggest that you not use this server to host your public DNS zone and that you don't make this server accessible to the outside.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
1

You cannot do this with Microsoft DNS Server.

You can do this in BIND using acls to specify who is allowed to do recursive queries.

BIND9 Config Snippet Example:

acl "internal" {
    10.0.0.0/8;
    192.168.0.0/16;
    172.16.0.0/12;
}
allow-query: 0.0.0.0/0;
allow-recursion: "internal";
Vasili Syrakis
  • 4,435
  • 3
  • 21
  • 29
  • It's not true as of Windows Server 2016. https://blogs.technet.microsoft.com/teamdhcp/2015/09/09/selective-recursion-control-using-dns-server-policies/ – Michał Sacharewicz Aug 07 '19 at 13:19