Sign up to access this lesson
Click here to sign up and get access to this lesson!

Saving Progress...
So what are the differences between the Split-Brain DNS policy and the split-Brain policy with selective recursion?
- An Open Resolver In the last example, recursion was enabled for both internal and external clients.
In other words, internally or externally, if the local DNS server didn’t have an answer for either client, the DNS server could go out to the internet to query other DNS servers. In effect, this made the DNS server an open resolver, and this could make the DNS server vulnerable to various malicious attacks.
- In this example with Selective Recursion enabled,only Internal clients can perform recursive queries
- Recursion is blocked for all external clients
- With this possible security threat in mind, DNS administrators would like to block recursion for all external clients. And allow recursive queries for the internal clients. Making the DNS server more secure. How Selective Recursion Works
Our Scenario:
- The recursion policies are evaluated by the DNS server.
If a query comes in for www.news.com on the internal Interface. If that query matches the SplitBrainRecursionPolicy. This policy points to a recursion scope that will allow recursion. If the DNS server doesn’t know about www.news.com, it will perform recursion until it gets an answer, then caches that answer, and sends the result back to the internal client.
If a query is received on the external interface, no policies match, and the default recursion setting, which is disabled, is applied.
This prevents the server from being an open resolver while acting as a caching resolver for the internal clients.
Terminology
- Recursion Scopes
- Recursion Policies
So, what are DNS Recursion Scopes?
- What are recursion scopes?
Recursion scopes are settings that control recursion. A recursion scope contains a list of forwarders and identifies whether recursion is enabled.
- So, what is the default recursion scope?
The default recursion scope consists of server-level recursion and a list of forwarders. The default recursion scope cannot be deleted.
So, what is a Recursion Policy?
- Defines which clients are part of the recursion scope. In this example, we will create a Policy that will allow internal clients to perform recursive queries on the internet.
Configuring DNS Split-Brain Recursion Control consists of three steps.
Step #1 We are going to disable external clients, and we are going to use the default recursion scope.
Step #2 We are going to enable internal clients. We are going to create a recursion scope.
Step #3 We are going to create a Recursion policy, which defines which clients are part of the policy.
Step #1 This command disables Recursion for the default recursion scope (for all external clients)
- Set-DnsServerRecursionScope -Name . -EnableRecursion $False
This command disables recursion, the dot denotes the default recursion scope. The dollar sign is a variable. What this command is saying is that any queries coming in on the external interface will be disabled.
Step #2 This command creates a Recursion scope for the internal clients
- Add-DnsServerRecursionScope -Name "InternalClients" -EnableRecursion $True
What that is saying is that any queries coming on the internal interface will be enabled.
Step #3 This command creates a DNS Recursion Policies that allow recursion for all the internal clients.
- Add-DnsServerQueryResolutionPolicy -Name "SplitBrainRecursionPolicy" -Action
ALLOW -ApplyOnRecursion -RecursionScope "InternalClients" -ServerInterfaceIP "EQ,192.168.17.10“
And this IP address is the interface on the internal side. So, what this policy is saying is that it has defined which clients are part of the recursion scope.
This command will allow us to view our query resolution policy.
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.
CURRICULUM
Course Introduction • 10min
0 / 2 lessons complete
Instructor and Course Introduction
Video | 7 min
What's New in Windows Server 2016 DNS
Free lesson
Video | 3 min
DNS Basics • 56min
0 / 8 lessons complete
What is DNS
Video | 3 min
Installing the DNS Windows Server Role
Video | 6 min
Building DNS Server Quiz
Quiz | 10 Questions
The Hosts File
Video | 4 min
DNS Console Overview
Video | 7 min
Recursive and Iterative Queries
Video | 8 min
DNS Basics LAB
Video | 10 min
DNS Basics Quiz
Quiz | 8 Questions
DNS Resource Records • 45min
0 / 5 lessons complete
DNS Resource Record Types
Video | 3 min
Creating the mytestzone Forward Lookup Zone
Text | 2 min
Creating DNS Resource Records
Video | 4 min
Creating DNS Resource Records Lab
Lab | 30 min
DNS Resource Records Quiz
Quiz | 7 Questions
DNS Zones • 4hr 11min
0 / 12 lessons complete
DNS Zones
Video | 4 min
Creating a Forward and Reverse Lookup Zone
Video | 5 min
Creating a Secondary Zones
Video | 9 min
Stub Zone Creation
Video | 11 min
Active Directory Zone Replication
Video | 12 min
Implementing DNS Forwarding
Video | 8 min
Implementing Conditional DNS Forwarding
Video | 7 min
Forward and Reverse Zone Creation Lab
Lab | 60 min
Creating a Secondary Zone Lab
Lab | 30 min
Conditional Forwarding Lab
Lab | 60 min
Creating a Stub Zone Lab
Lab | 30 min
DNS Zones Quiz
Quiz | 15 Questions
DNS Delegation • 50min
0 / 4 lessons complete
Domain Name System and DNS Delegation
Video | 7 min
Windows 2016 Server and DNS Zone Delegation
Video | 8 min
DNS Delegation Lab
Lab | 30 min
QUIZ - Domain Name System and DNS Delegation
Quiz | 5 Questions
DNS Security Techniques • 36min
0 / 5 lessons complete
DNS Security Techniques Overview
Video | 9 min
Configuring DNS Cache Locking
Video | 5 min
Configuring DNS Socket Pools
Video | 6 min
Configuring Response Rate Limiting
Video | 8 min
DNS Security Techniques Quiz
Quiz | 8 Questions
Advanced DNS Topics • 22min
0 / 5 lessons complete
Overview of Advanced Topics
Video | 1 min
Enabling Round Robin and Netmask Ordering
Video | 5 min
Configuring Recursion
Video | 4 min
IPV4 and IPV6 Root HInts
Video | 6 min
Advanced DNS Topics Quiz
Quiz | 6 Questions
DNS Security (DNSSEC) • 1hr 16min
0 / 6 lessons complete
Windows DNS Security Overview
Video | 7 min
Symmetric vs Asymmetric Encryption
Video | 5 min
Installing DNSSEC on Windows 2016 Server
Video | 12 min
DNSSEC Client Install
Video | 7 min
DNSSEC (DNS Security Lab)
Lab | 30 min
DNSSEC Quiz
Quiz | 15 Questions
DNS Policies • 55min
0 / 6 lessons complete
DNS Policies Background Information
Video | 8 min
Configuring DNS Filtering
Video | 7 min
Configuring Split Brain DNS in an Active Directory Environment
Video | 12 min
Configuring DNS Selective Recursion Policy
Video | 7 min
Configuring a Traffic Management Policy
Video | 11 min
DNS Policies Quiz
Quiz | 10 Questions
PowerShell for DNS • 1hr 27min
0 / 6 lessons complete
PowerShell for DNS Part 1
Video | 2 min
PowerShell for DNS Part 2
Video | 5 min
PowerShell for DNS Part 3
Video | 10 min
PowerShell for DNS Part 4
Video | 5 min
PowerShell for DNS LAB
Lab | 60 min
Powershell for DNS Quiz
Quiz | 5 Questions
Troubleshooting DNS Issues - Troubleshooting Tools • 1hr 39min
0 / 8 lessons complete
Troubleshooting Tools Every IT Pro Must Know
Video | 9 min
The Events Viewer Overview
Video | 6 min
Subscriptions
Video | 9 min
Monitoring and Debug Logging
Video | 9 min
Trouble-Shooting DNS Client Issues
Video | 4 min
Troubleshooting Subscriptions Lab
Lab | 30 min
DNS Troubleshooting Lab
Lab | 30 min
DNS Troubleshooting Quiz
Quiz | 2 Questions