DNS: The recursion timeout must be greater than the forwarding timeout

Updated: October 15, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Microsoft Baseline Configuration Analyzer or Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the DNS Microsoft Baseline Configuration Analyzer or DNS Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System	Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Product/Feature	DNS
Severity	Warning
Category	Configuration

Issue

The forwarding timeout is greater than or equal to the recursion timeout.

The recursion timeout value is not configured to allow time sufficient time for recursion to complete.

Impact

The DNS server will fail to respond to queries for external zones if forwarding servers are not available.

When a DNS server receives a recursive query, it must be given time to send the query to its forwarder and wait for a response. If the forwarding servers time out, the DNS server requires additional time to perform recursion. If the recursion timeout value is too small and does not allow additional time beyond the forwarding timeout, the DNS server will be unable to respond to a recursive query when forwarders are unavailable.

Resolution

Configure the recursion timeout to be greater than the forwarding timeout.

By default, the DNS server will wait 3 seconds for a response from one forwarder IP address before trying another forwarder IP address. In Number of seconds before forward queries time out, you can change the number of seconds the DNS server will wait. When the server has exhausted all forwarders, it will attempt standard recursion if Use root hints if no forwarders are available is selected and the recursion timeout has not expired. The default recursion timeout value is 8 seconds.

Membership in Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure the recursion timeout value

1. Open an elevated command prompt.

2. Type the following command, and then press ENTER:

   dnscmd [<ServerName>] /config /recursiontimeout <timeout>
   

Value	Description
dnscmd	The command-line tool for managing DNS servers.
<ServerName>	Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.
/config	Required. Modifies the configuration of the DNS server.
/recursiontimeout	Required. Specifies that the recursion timeout value will be configured.
<timeout>	Optional. Specifies the recursion timeout value in seconds. Allowed values are from 1 to 15. If no value is entered, the recursion timeout is set to a value of 8 seconds.