How to Disable Recursion on a Windows DNS Server

By default, the DNS server performs recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it. Recursion is a name-resolution technique in which a DNS server queries other DNS servers on behalf of the requesting client to fully resolve the name and then sends an answer back to the client.

Attackers can use recursion to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, recursion should be disabled on that server.

Disabling recursion on the DNS server

  • Using the Windows interface
  • Using a command line

To disable recursion on the DNS server using the Windows interface

  1. Open DNS Manager.
  2. In the console tree, right-click the applicable DNS server, then click Properties.
  3. Click the Advanced tab.
  4. In Server options, select the Disable recursion check box, and then click OK.

Additional considerations

  • To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
  • If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.

To disable recursion on the DNS server using a command line

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:Copydnscmd <ServerName> /Config /NoRecursion {1|0}

Expand table

ParameterDescription
dnscmdSpecifies the name of the command-line tool for managing DNS servers.
<ServerName>Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/ConfigRequired. Specifies that the command configures the specified server.
/NoRecursionRequired. Disables recursion.
{1|0}Required. To disable recursion, type 1 (off). To enable recursion, type 0 (on). By default, recursion is enabled.

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:Copy

dnscmd /Config /help 

Additional considerations

  • To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  • If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.

Ref: Disable Recursion on the DNS Server | Microsoft Learn