It is recursive, and I honestly have no idea how to fix it. We're in a similar situation, and the only answers I can find for this involve disabling the DNS server (which would break AD).
Honestly, your best bet is to firewall off UDP port 53 to all hosts except ones that are using it as a DNS server.
It seems my server schouldn't be a problem, it's behind the NAT and there's no port forwarding of port 53. If I would have to do the resoluion for the public nodes of my domain I'd anyway have a separate Linux or BSD node just for that, replying only the queries about my nodes. Anybody knows if I'm missing something in such a solution?
Honestly, your best bet is to firewall off UDP port 53 to all hosts except ones that are using it as a DNS server.