Hello.

I have a scenario on my environment of 2 Internal AD DNS servers and 2 external Windows 2012 DNS servers. I disabled recursion on my external DNS servers for security reasons but now the servers are not able to do windows updates because they cannot resolve external names.
Is there a way to solve this problem without having to re-enable recursion every-time I need to do a windows update or adding the Microsoft servers to the hosts file?
Thanks in advance for your help!

Cheers!

Hi Roeseler,

According to your description, you assume that we may add the Microsoft servers records to the host file, in order to perform windows update, because you have disabled recursion on the external DNS server.

As far as I know, the IP address for windows update web site constantly changes and it is not a fixed address. It may be difficult to achieve the goal.

When disable recursion, DNS server will use root hints to resolve name. However, the external DNS server couldnt resolve names after disabling recursion, we may check if the root hints are correct in the server.

Best regards,

Anne he