InfraRunBook
    Back to articles

    DNS Recursion – What It Is, Why It’s Dangerous, How to Check & Disable It

    DNS
    Published: Jan 28, 2026
    Updated: Jan 28, 2026

    A practical Infra Run Book guide explaining DNS recursion, why open recursive DNS servers are dangerous, how to check DNS recursion using nslookup, and how to disable or restrict it on Windows and Linux DNS servers.

    DNS Recursion – What It Is, Why It’s Dangerous, How to Check & Disable It

    What is DNS Recursion?

    DNS recursion allows a DNS server to fully resolve a domain name on behalf of the client by querying:

    • Root DNS
    • TLD servers
    • Authoritative DNS

    This is useful only for trusted internal clients.

    Why DNS Recursion Is Dangerous

    If enabled on a public DNS server, it can lead to:

    1️⃣ DNS Amplification DDoS

    Small spoofed queries → very large responses → massive traffic floods.

    2️⃣ High CPU & Memory Usage

    Attackers can exhaust server resources using recursive lookups.

    3️⃣ Information Leakage

    Cached internal queries and DNS structure may be exposed.

    4️⃣ IP Blacklisting

    Open recursive resolvers are routinely scanned and blacklisted.

    Any public DNS server with recursion enabled is a liability.

    🔍 How to Check If DNS Recursion Is Enabled (Using
    nslookup
    )

     

    ✅ Method: Using
    nslookup

    Run from any external system (important):

    nslookup

    Set the DNS server you want to test:

    server <DNS_SERVER_IP>

    Now query a domain not hosted by that DNS server:

    google.com

    📌 Result Interpretation

    • If you get an IP address → ❌ Recursion is ENABLED
    • If you get an error like below → ✅ Recursion is DISABLED

    Expected safe response:

    *** server can't find google.com: REFUSED

    or

    Query refused

    🔎 Advanced Check (Explicitly Request Recursion)

    nslookup -type=A google.com <DNS_SERVER_IP>

    If it resolves → recursion is active

    If refused → recursion is disabled or restricted

    🛑 How to Disable DNS Recursion

    Windows Server (Microsoft DNS)

    🔹 Disable Recursion via GUI

    1. Open DNS Manager
    2. Right-click the DNS server → Properties
    3. Go to Advanced tab
    4. ❌ Uncheck Enable recursion
    5. Click OK

    ✅ Recursion is now disabled.

    🔹 Disable Recursion via PowerShell

    Set-DnsServerRecursion -Enable $false

    Verify:

    Get-DnsServerRecursion

    Expected output:

    Enable : False

    🔹 Restrict Recursion (Recommended for Internal DNS)

    Instead of fully disabling, restrict recursion:

    1. DNS Manager → Server Properties
    2. Advanced tab → Enable recursion
    3. Interfaces tab → Bind only internal IPs
    4. Use Windows Firewall to allow DNS only from LAN/VPN

    🐧 Linux DNS Servers

    🔹 BIND

    Disable recursion:

    options {
    recursion no;
};

    Restrict recursion:

    options {
    recursion yes;
    allow-recursion { 127.0.0.1; 10.0.0.0/8; };
};

    🔹 Unbound

    Disable recursion:

    server:
    do-recursion: no

    Restrict:

    access-control: 10.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse

    🔹 PowerDNS (Authoritative)

    recursor=no

    PowerDNS strongly recommends separate authoritative and recursive servers.

    ✅ Best Practices (Strongly Recommended)

    ✔ Never expose recursive DNS to the internet
    ✔ Separate authoritative and recursive DNS roles
    ✔ Restrict port 53 TCP/UDP using firewall rules
    ✔ Regularly test recursion using

    nslookup

    ✔ Monitor DNS query rate & unusual spikes

    Final Rule (Remember This)

    If your DNS server is public → recursion must be OFF.

    Frequently Asked Questions

    What is DNS recursion?

    DNS recursion is a process where a DNS server resolves a domain name completely on behalf of a client by querying root, TLD, and authoritative DNS servers.

    Why is DNS recursion dangerous on public DNS servers?

    Open recursive DNS servers can be abused for DNS amplification DDoS attacks, cause resource exhaustion, leak information, and lead to IP blacklisting.

    How can I check DNS recursion using nslookup?

    You can check DNS recursion by querying an external domain using nslookup against the DNS server. If it resolves, recursion is enabled; if refused, it is disabled.

    Should authoritative DNS servers allow recursion?

    No, authoritative DNS servers should never allow recursion, especially when they are publicly accessible.

    How do I disable DNS recursion on Windows Server?

    DNS recursion on Windows Server can be disabled using DNS Manager by unchecking Enable recursion or via PowerShell with Set-DnsServerRecursion.

    How do I disable DNS recursion on BIND?

    On BIND DNS servers, recursion can be disabled by setting recursion no inside the options block of the configuration.

    Can DNS recursion be enabled safely?

    DNS recursion can be enabled safely if it is strictly restricted to trusted internal networks such as LAN or VPN.

    What is a DNS amplification attack?

    A DNS amplification attack is a DDoS technique where attackers exploit open recursive DNS servers to generate large volumes of traffic toward a victim.

    Is DNS recursion required for internal networks?

    Internal networks commonly require DNS recursion to resolve external domains, but access should always be limited to trusted clients.

    How often should DNS recursion settings be reviewed?

    DNS recursion settings should be reviewed periodically and after any DNS, firewall, or infrastructure changes.

    Related Articles