Do Not Use Recursion vs Disable Recursion

Friday, October 28, 2011

There are various situations where you would want to prevent your DNS server from performing a recursive query. Depending on what you are trying to accomplish, there are two settings that have caused confusion amongst DNS administrators. These two settings are "Do not use recursion for this domain" found in the Forwarders tab and "Disable Recursion" found in the Advanced tab. Let' s take a look at these settings in more detail.

Do not use recursion for this domain (Windows 2000/2003)

Enabling this setting will specify that this DNS server not attempt any further recursion if the forwarders fail in resolving the query. Normally, if the forwarders fail, your DNS server will then use the root hints available in attempts to resolve the query prior to giving up. There may be instances where you do not want the DNS server to continue trying to resolve the query. An example might be if you are using conditional forwarding to resolve queries against a business partner's internal zone, and if a query fails, you would not want DNS to continue the process of name resolution.

dns recursion

Use root hints if no forwarders are available (Windows 2008 and later)

Microsoft simplified the wording starting on Windows 2008 consoles. If this checkbox is enabled, it is the opposite of enabling "Do not use recursion for this domain" in 2000/2003. If you do not want to use the root hints if the forwarders are not available, you have to uncheck this setting. Toggling this setting (including the 2000/2003 equivalent) will modify the following registry value:

Value Name: IsSlave
Value Path: HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters 
Value Type: REG_DWORD
Value Data: 0 | 1 (Default value: 0)

A value of zero (0) will result in if the forwarder servers do not respond, the DNS server issues standard iterative queries to try to resolve the remote name. A value of one (1) will result in if the forwarder servers do not respond, the DNS server terminates the search and sends a SERVER_FAILURE response to the query.

dns recursion

Disable recursion (also disables forwarders) Windows 200x

If this setting is enabled, the DNS server will attempt to resolve queries only from its own database. It will not query any additional servers if the DNS server is unable to resolve the query.  A DNS Administrator would normally enable this option when deploying an external facing DNS server. Your external DNS servers should only be resolving queries for hostnames stored in your authoritative zones, unless you are an ISP and need to services end users for general name resolution.

dns recursion

If neither of these options are enabled, the server will attempt to resolve queries using this order:

  • Local zones
  • Forwarders
  • Root Hints

If you need further information regarding this topic, refer to the following Microsoft resources:

Configure a DNS Server to Use Forwarders
Disable Recursion on the DNS Server
Toggling the "Use root hints if no forwarders are available" Checkbox Results in the Opposite Behavior in Windows Server 2008 DNS Manager Snap-in

Did you find the page informational and useful? Share it using one of your favorite social sites.

Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed