Recursive DNS queries make the Internet run.
They also provide a convenient means to spoof servers, implement distributed denial of service (DDoS) attacks, and poison your DNS cache. (See the US-CERT report on DNS recursion (PDF).) The general “best practice” recommendation has become to disable recursion on publicly-available DNS servers (i.e., the servers answer DNS for only the domains for which they are authoritative).
This causes problems when your Active Directory server is publicly available (SBS, some Exchange setups, etc.), because clients need to point to that server to use Active Directory services but need recursive lookups to use internet resources. Here is the solution that I used to resolve this difficulty.
On the Active Directory servers (you do have two, don’t you?), I disabled recursion (instructions from Microsoft). These servers are available from the internet as authoritative for my domains. (For the purposes of this example, let’s say these servers are authoritative for mydomain.com and reside at 192.168.1.2 and 192.168.1.3 on the local network.)
I set up another DNS server that is not reachable from the internet. (We’ll call it 192.168.1.4 in this example). Recursion is enabled for this server. On the Forwarders tab, I set the forwarders for “All other DNS domains” to be my ISP’s DNS servers (126.96.36.199 and 188.8.131.52 in this example):
To allow the DNS server to do the proper lookups for Active Directory, I created a new DNS domain for mydomain.com, and set its forwarders to be my AD servers (from above, 192.168.1.2 and 192.168.1.3):
Now I point all the local Active Directory computers to this new DNS server, and they are able to get the proper Active Directory lookups and recursive internet lookups, without exposing my AD servers to recursive DNS attacks.