Disallow Non-authoritative requests to DNS caches


I need to configure the following setting for my DNS Server. This server is also my Domain Controller ( Window Server 2008 R2 Standard )

A) Non-authoritative requests to DNS caches should not be allowed and configure DNS to prevent cache snooping by refusing to answer non-recursive queries as server and never consult the cache when responding to non-RD queries.

Do you know, what setting need to be done to achieve the above task.

Thanks & Regards,


Best Answer

You would need to disable recursion.

Microsoft DNS Server vulnerability to DNS Server Cache snooping attacks

"Disabling recursion globally is not a configuration change that should be taken lightly as it means that the DNS server cannot resolve any DNS names on zones that are not held locally . This requires some careful DNS planning. For example, clients cannot typically be pointed directly at such servers.

The decision to disable recursion (or not) must be made based on what role the DNS server is meant to perform within the deployment. If the server is meant to recurse names on behalf of its clients, recursion cannot be disabled. If the server is meant to return data only out of local zones and is never meant to recurse or forward on behalf of clients, then recursion may be disabled."