DNS recursion and root hints are often enabled by default on Windows servers, which can expose your server to DNS amplification attacks. This guide walks you through how to disable DNS recursion and remove root hints to harden your DNS configuration.
Access to your server via Remote Desktop (RDP)
Admin rights on a Windows Server with DNS role installed
Connect via Remote Desktop to your VPS or dedicated server.
Go to:
Start > Administrative Tools > DNS
This will open the DNS Manager console.
In the left pane, right-click your server name
Select Properties
Go to the Advanced tab
Check the box for:
✅ Disable recursion (also disables forwarders)
Click Apply and OK
Still in DNS Manager, open Properties on the server node
Go to the Root Hints tab
Select each listed FQDN Name Server
Click Remove until the list is empty
Click Apply and OK
In DNS Manager, right-click your server name
Go to All Tasks > Restart
This ensures the changes take effect.
Adding a dot zone (.) disables external DNS lookups completely.
Right-click the server name > New Zone
Click Next through the prompts until you reach Zone Name
Type a single period .
for the zone name
Proceed with default options and click Next
Click Finish on the final screen
This prevents the server from performing DNS lookups on the internet.