7

I have two Domain Controller, both are DNS server and i have set Forwarder for both ( as per below Print-screen )

enter image description here

but i have not disable recursion on both server ( please see below print-screen )

enter image description here

there is one recommendation to disable DNS recursion. I think if i disable DNS recursion it will affect performance, but i also want to have best security placed. Please let me know what should i do? should i disable DNS recursion?

Param
  • 1,357
  • 14
  • 36
  • 52
  • I would at the very least remove most of the forwarders you have in place right now. I normally use my ISPs DNS since they usually offer much faster name resolution than Google's public DNS (~200ms vs ~20ms). – Alex Aug 10 '15 at 15:47

3 Answers3

5

Depends on the needs of your business. If you have clients connecting to this DNS server and asking it for names that are not on your network, such as google.com, facebook.com, yahoo.com, whitehouse.gov, etc... since your DNS server is not authoritative for those domains you must use Recursion or else name resolution will fail for external domain names not hosted on your DNS server. Most work places do allow internet access, however, if you are in a very tightly-controlled network (in which case if you need extraordinary security you shouldn't be connected to the internet anyway,) disabling recursion will prevent name resolution of names that your DNS server is not authoritative for. Also worth noting that if you disable recursion, then there's no point in adding forwarders as they will not be used. (Root hints also will not be used if recursion is disabled.)

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
1

In most cases:

Bad:

  1. Recursive name server available publicly.

Fine:

  1. Name server for specific domains available publicly.
  2. Recursive name server available privately (local network).

To make sure a recursive name server is not available publicly I would suggest making the DNS server/service only listen on private addresses and traffic sent to the DNS port (53) from any public interface is blocked. Doing both makes sure a single accidental configuration change won't make it publicly accessible.

Brian
  • 3,476
  • 18
  • 16
0

Unless you NEED to use forwarders, you should not. It is best to let your DC's resolve internal and External. This will give you the best performance. The only reason(s) you would want to have forwarders is if you only have one DNS server, You have security requirements that are very strict, your DC does not have Internet connectivity, or your DNS servers are overworked. If you do not use forwarders your DC's will use the ROOT domain server records to resolve (DC Internet connection required)

You should NOT set a forwarder for each of your DC's to point to each other. Your clients should list both DNS servers in their IP config. If they do, the client will find them. If they do not, you should fix configuration so both DNS servers are listed in your client config (Ipconfig /all)

Dan Stolts
  • 66
  • 4
  • I completely disagree with you when it comes to performance. Going through the Root DNS is slower because you'll be doing the equivalent of a trace. Getting the answer from a DNS server that is closer to you and that might already have the answer cached will be much faster. – Alex Aug 10 '15 at 15:50
  • One interesting side-effect of using a central forwarder strategy is it can wreak havoc on geo-location DNS lookups for global organizations. If a DC is allowed to egress to the Internet, this approach may have that advantage. We block Internet access for our DC's though, too dangerous. – Greg Askew Aug 10 '15 at 16:16