Disable Recursion vs. Root Zone

Discussion in 'MCSA' started by RogueIT, May 18, 2009.

  1. RogueIT

    RogueIT Guest

    What is the difference between disabling recursion and creating a root zone
    on your internal dns servers?
    RogueIT, May 18, 2009
    1. Advertisements

  2. "RogueIT" <> wrote in message
    > What is the difference between disabling recursion and creating a root
    > zone
    > on your internal dns servers?

    Well, the two are done for somewhat different purposes, so I'm not sure that
    "the difference between" is a relevant question.

    You disable recursion when you don't want to offload all of the work to an
    upstream DNS Server, or more likely, when you're in a situation where you
    cannot offload all of the work to an upstream DNS Server. With recursion
    disabled, the server assumes all of the responsibility for
    sending/processing all of the queries necessary to walk a domain tree and
    obtain the desired IP Address for the given hostname.

    You also might do this if you're interested in building/maintaining a master
    cache on a specific server. If the server uses recursion, then the only
    answer that get's cached is the final response coming back from the upstream
    server. If recursion is disabled, then the server caches every response to
    every intermediate query.

    The point here is that disabling recursion will likely require additional
    memory resources, as well as processor and network resources, to handle the
    extended workload. Generally you would only disable recursion to implement a
    specific design objective.

    A root server is created when you don't want the server to process queries
    for any hostnames outside of the zone(s) that the server is authorizative
    for. You might do this where you have DNS servers specified exclusively for
    use in resolving internal AD-based names, and another set of servers
    designed for resolving Internet-based names. You configure the AD/DNS
    servers to be root servers for your AD domain (e.g. mydomain.local). You
    might also do this where you want to introduce an addtional level of
    security to restrict Internet access - if a machine cannot resolve an
    Internet name, it'll be harder (although not impossible) to get there.

    For a DNS Server that resolves Internet names, a root zone containing the
    well-known Internet root servers is automatically created on a Windows DNS
    Server. Without these identities, your DNS Server would not be able to
    process up the domain tree to find the answer to the query (e.g. What is the
    IP Address of www.microsoft.com?).

    Note that a server with recursion disabled, *must* have a properly
    initialized Internet Root Zone cache.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    Lawrence Garvin [MVP], May 18, 2009
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
  2. Kevin Porter

    DNS recursion question while studying for 70-293

    Kevin Porter, Mar 16, 2006, in forum: Microsoft Certification
    Kevin Porter
    Mar 16, 2006
  3. Kevin Porter
    Mar 18, 2006
  4. Jones

    Zone Alarm or Zone Alarm Pro?

    Jones, Feb 19, 2004, in forum: Computer Information
    Phil Marshall
    Feb 20, 2004
  5. lbbss
    Sep 25, 2006