diff --git a/agent/config/builder.go b/agent/config/builder.go
index b59aa94aa4..da5f4fb2b6 100644
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@@ -726,6 +726,11 @@ func (b *Builder) Validate(rt RuntimeConfig) error {
 			return fmt.Errorf("DNS address cannot be a unix socket")
 		}
 	}
+	for _, a := range rt.DNSRecursors {
+		if ipaddr.IsAny(a) {
+			return fmt.Errorf("DNS recursor address cannot be 0.0.0.0, :: or [::]")
+		}
+	}
 	if rt.Bootstrap && !rt.ServerMode {
 		return fmt.Errorf("'bootstrap = true' requires 'server = true'")
 	}
diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go
index 3324841a6a..0f5d4ca7f9 100644
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@@ -1463,6 +1463,15 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
 			hcl:  []string{`advertise_addr_wan = "::"`},
 			err:  "Advertise WAN address cannot be 0.0.0.0, :: or [::]",
 		},
+		{
+			desc: "recursors any",
+			flags: []string{
+				`-data-dir=` + dataDir,
+			},
+			json: []string{`{ "recursors": ["::"] }`},
+			hcl:  []string{`recursors = ["::"]`},
+			err:  "DNS recursor address cannot be 0.0.0.0, :: or [::]",
+		},
 		{
 			desc: "dns_config.udp_answer_limit invalid",
 			flags: []string{