none
WS2016 - external DNS disable recursion (also disables forwarders) RRS feed

  • Question

  • Hello!

    we have external and internal DNS server (WS2016) configured in split DNS manner. On our external DNS server recursion is enabled and also forwarders. Forwardes are configured to our internal DNS servers because of some applications. Can recursion somehow be disabled but forwarders to be enabled? Can it be done using conditional fowarders or somehow different? Thanks!

    Monday, August 31, 2020 11:08 AM

Answers

  • You cannot disable recursion and still have forwarders.

    "Disabling the use of recursion on a DNS server is generally done when DNS clients are being limited to resolving names to a specific DNS server, such as one located on your intranet. Recursion might also be disabled when the DNS server is incapable of resolving external DNS names, and clients are expected to fail over to another DNS server for resolution of these names"

    ref: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc775637(v=ws.10)?redirectedfrom=MSDN

    If you have conditional forwarders, they should still work.  But as i said earlier, you cannot create conditional forwarder for a zone that the DNS server already own.

    hth


    This posting is provided AS IS without warranty of any kind

    • Marked as answer by G14K Wednesday, September 23, 2020 9:50 AM
    Friday, September 4, 2020 8:35 AM

All replies

  • Is there a way to find out for which query forwarder is used? Maybe through logs, powershell...


    • Edited by G14K Tuesday, September 1, 2020 1:02 PM
    Tuesday, September 1, 2020 12:57 PM
  • Do you mean that the External DNS is having the same DNS Zone as the internal DNS ?

    like contoso.com on the external DNS and contoso.com on the internal DNS ?


    This posting is provided AS IS without warranty of any kind

    Tuesday, September 1, 2020 5:46 PM
  • Not all zones, but some of them yes.
    Tuesday, September 1, 2020 10:22 PM
  • If you disable recursion, it also disable forwarders.

    You cannot configure conditional forwarding for a dns zone that your already own.

    This mean that if ExternalDNS-01 has a primary zone named contoso.com and the InternalDNS-01 has also a primary zone named contoso.com, you cannot create a conditional forwarding on ExternalDNS-01 to forward DNS query for contoso.com to the InternalDNS-01.

    What you could do is to create your record manually on your external DNS server for the internal applications and configure the forwarders of the external DNS server on your ISP (or google 8.8.8.8).

    Having a split-brain DNS is always difficult to manage.

    hth


    This posting is provided AS IS without warranty of any kind

    Wednesday, September 2, 2020 5:06 PM
  • "What you could do is to create your record manually on your external DNS server for the internal applications and configure the forwarders of the external DNS server on your ISP (or google 8.8.8.8)."

    Doesn't this mean that the recursion would be still enabled? My goal is to disable recursion on external DNS servers but keep forwarders.

    Thanks!

    Friday, September 4, 2020 5:33 AM
  • You cannot disable recursion and still have forwarders.

    "Disabling the use of recursion on a DNS server is generally done when DNS clients are being limited to resolving names to a specific DNS server, such as one located on your intranet. Recursion might also be disabled when the DNS server is incapable of resolving external DNS names, and clients are expected to fail over to another DNS server for resolution of these names"

    ref: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc775637(v=ws.10)?redirectedfrom=MSDN

    If you have conditional forwarders, they should still work.  But as i said earlier, you cannot create conditional forwarder for a zone that the DNS server already own.

    hth


    This posting is provided AS IS without warranty of any kind

    • Marked as answer by G14K Wednesday, September 23, 2020 9:50 AM
    Friday, September 4, 2020 8:35 AM
  • Thank you for your help!

    We are migrating our VPN group configurations in a way that they will use internal DNS servers instead of our external DNS servers. After that we will disable recursion on our external DNS servers.

    Best regards!

    Wednesday, September 23, 2020 9:49 AM