How to Disable DNS Recursion and Delete Root Hints on Windows Server?

🛡️ How to Disable DNS Recursion and Delete Root Hints on Windows Server

DNS recursion and root hints are often enabled by default on Windows servers, which can expose your server to DNS amplification attacks. This guide walks you through how to disable DNS recursion and remove root hints to harden your DNS configuration.

✅ Prerequisites

• Access to your server via Remote Desktop (RDP)

• Admin rights on a Windows Server with DNS role installed

🔧 Steps to Disable DNS Recursion

1. Login to Your Server

Connect via Remote Desktop to your VPS or dedicated server.

2. Launch DNS Manager

Go to:
Start > Administrative Tools > DNS
This will open the DNS Manager console.

3. Open Server Properties

• In the left pane, right-click your server name

• Select Properties

4. Disable Recursion

• Go to the Advanced tab

• Check the box for:
  ✅ Disable recursion (also disables forwarders)

• Click Apply and OK

🗑️ Steps to Delete Root Hints

5. Open Root Hints Tab

• Still in DNS Manager, open Properties on the server node

• Go to the Root Hints tab

6. Delete All FQDN Entries

• Select each listed FQDN Name Server

• Click Remove until the list is empty

• Click Apply and OK

🔄 Restart the DNS Service

7. Restart DNS to Apply Changes

• In DNS Manager, right-click your server name

• Go to All Tasks > Restart

This ensures the changes take effect.

➕ Optional: Add a “.” Forward Zone (Dot Zone)

Adding a dot zone (.) disables external DNS lookups completely.

1. Create a New Zone

• Right-click the server name > New Zone

• Click Next through the prompts until you reach Zone Name

2. Enter a Dot (.) as Zone Name

• Type a single period . for the zone name

• Proceed with default options and click Next

3. Complete the Wizard

• Click Finish on the final screen

This prevents the server from performing DNS lookups on the internet.