Disable Recursion vs. Root Zone

Discussion in 'MCSA' started by RogueIT, May 18, 2009.

  1. RogueIT

    RogueIT Guest

    What is the difference between disabling recursion and creating a root zone
    on your internal dns servers?
     
    RogueIT, May 18, 2009
    #1
    1. Advertisements


  2. Well, the two are done for somewhat different purposes, so I'm not sure that
    "the difference between" is a relevant question.

    You disable recursion when you don't want to offload all of the work to an
    upstream DNS Server, or more likely, when you're in a situation where you
    cannot offload all of the work to an upstream DNS Server. With recursion
    disabled, the server assumes all of the responsibility for
    sending/processing all of the queries necessary to walk a domain tree and
    obtain the desired IP Address for the given hostname.

    You also might do this if you're interested in building/maintaining a master
    cache on a specific server. If the server uses recursion, then the only
    answer that get's cached is the final response coming back from the upstream
    server. If recursion is disabled, then the server caches every response to
    every intermediate query.

    The point here is that disabling recursion will likely require additional
    memory resources, as well as processor and network resources, to handle the
    extended workload. Generally you would only disable recursion to implement a
    specific design objective.

    A root server is created when you don't want the server to process queries
    for any hostnames outside of the zone(s) that the server is authorizative
    for. You might do this where you have DNS servers specified exclusively for
    use in resolving internal AD-based names, and another set of servers
    designed for resolving Internet-based names. You configure the AD/DNS
    servers to be root servers for your AD domain (e.g. mydomain.local). You
    might also do this where you want to introduce an addtional level of
    security to restrict Internet access - if a machine cannot resolve an
    Internet name, it'll be harder (although not impossible) to get there.

    For a DNS Server that resolves Internet names, a root zone containing the
    well-known Internet root servers is automatically created on a Windows DNS
    Server. Without these identities, your DNS Server would not be able to
    process up the domain tree to find the answer to the query (e.g. What is the
    IP Address of www.microsoft.com?).

    Note that a server with recursion disabled, *must* have a properly
    initialized Internet Root Zone cache.

    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], May 18, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.