Recursive DNS, Active Directory, and You

Recursive DNS queries make the Internet run.

They also provide a convenient means to spoof servers, implement distributed denial of service (DDoS) attacks, and poison your DNS cache. (See the US-CERT report on DNS recursion (PDF).)  The general “best practice” recommendation has become to disable recursion on publicly-available DNS servers (i.e., the servers answer DNS for only the domains for which they are authoritative).

This causes problems when your Active Directory server is publicly available (SBS, some Exchange setups, etc.), because clients need to point to that server to use Active Directory services but need recursive lookups to use internet resources.  Here is the solution that I used to resolve this difficulty.

On the Active Directory servers (you do have two, don’t you?), I disabled recursion (instructions from Microsoft).  These servers are available from the internet as authoritative for my domains.  (For the purposes of this example, let’s say these servers are authoritative for and reside at and on the local network.)

I set up another DNS server that is not reachable from the internet.  (We’ll call it in this example).  Recursion is enabled for this server.  On the Forwarders tab, I set the forwarders for “All other DNS domains” to be my ISP’s DNS servers ( and in this example):

To allow the DNS server to do the proper lookups for Active Directory, I created a new DNS domain for, and set its forwarders to be my AD servers (from above, and


Now I point all the local Active Directory computers to this new DNS server, and they are able to get the proper Active Directory lookups and recursive internet lookups, without exposing my AD servers to recursive DNS attacks.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s