Configuring DNS Selective Recursion Policy

So what are the differences between the Split-Brain DNS policy and the split-Brain policy with selective recursion?

• An Open Resolver In the last example, recursion was enabled for both internal and external clients.

In other words, internally or externally, if the local DNS server didn’t have an answer for either client, the DNS server could go out to the internet to query other DNS servers. In effect, this made the DNS server an open resolver, and this could make the DNS server vulnerable to various malicious attacks.

• In this example with Selective Recursion enabled,only Internal clients can perform recursive queries

• Recursion is blocked for all external clients

• With this possible security threat in mind, DNS administrators would like to block recursion for all external clients. And allow recursive queries for the internal clients. Making the DNS server more secure. **How Selective Recursion Works **

**Our Scenario: **

• The recursion policies are evaluated by the DNS server.

If a query comes in for www.news.com on the internal Interface. If that query matches the SplitBrainRecursionPolicy. This policy points to a recursion scope that will allow recursion. If the DNS server doesn’t know about www.news.com, it will perform recursion until it gets an answer, then caches that answer, and sends the result back to the internal client.

If a query is received on the external interface, no policies match, and the default recursion setting, which is disabled, is applied.

This prevents the server from being an open resolver while acting as a caching resolver for the internal clients.

**Terminology **

• Recursion Scopes
• Recursion Policies

**So, what are DNS Recursion Scopes? **

• What are recursion scopes?

Recursion scopes are settings that control recursion. A recursion…