What is a recursive DNS query?

One of the most important part of the Internet is the DNS; I guess that’s clear for everybody. DNS is a distributed database, the largest in the world but in — at least — one aspect is extremely vulnerable: recursive queries. We distinguish two type of DNS queries:

1. Iterative or non-recursive
2. Recursive

Each 13 root server is configured to be non-recursive. When you query a root-server, it will return the answer for your query, or won’t return anything. The gTLD servers are also configured to be iterative.

Example: You query k.root-servers.net for records about google.com. In case it has information regarding your query, it will return data about which gTLD server should you query for further details about google.com. In case it has no information, it will NOT query another server for further information, but will return no data.

So what is a recursive DNS query?

Recursive DNS query is, when you query a DNS server, that is set to query other DNS servers until you get the requested information.

What are the risks of the recursive DNS?

When your DNS server is configured to support recursive queries, you should be aware of the following risks:

• DOS vulnerability: supporting recursive query may allow a client to flood one single IP with so many requests, that it can not be processed
• DNS-cache poisoning: since by default every result is cached, if a DNS server which supports recursive queries receives a fake/incorrect answer which is believed to be authoritative, it stores the answer in its cache, thus the cache is poisoned
• Resource hijacking: Imagine thousands of recursive queries in the same time. It will consume the server’s resources, thus will deny the service or, in better cases, performance degradation will occur
• Unnecessary load on root-servers: on DNS servers supporting recursive queries, if a query comes from a private address (see RFC 1918), the server is forced to query one of the root-servers

Who should support recursive DNS queries?

The Internet Service Providers has to provide recursive queries for its clients, but these DNS servers should never be accessible by those who are not the clients of the provider. Large corporations’ private networks’ DNS server also has to offer support for recursive queries.

How to end a server’s support for recursive DNS queries?

• Windows:
  Open a Remote Desktop connection to the server and login as Administrator. Open the Administrative Tools from the Start Menu/Control Panel, double-click the icon labeled DNS. Select from the tree on the left the DNS server you’d like to stop recursion on, then click Properties. Select the Advanced tab, then under the Server Options check the box which is labeled Disable Recursion.
  Save everything and as a final step clear the cache of the DNS.
• Unix-based (BIND 9):
  SSH to the server and login as root. Open for editing named.conf and in the Options section of the file insert the following line, then save/close the file:
  recursion no;
  Restart the named service with the following command:
  service named restart

To test whether your DNS supports recursive DNS queries or not, IANA (Internet Assigned Numbers Authority) has provided a Cross-Pollination Check tool which does a great job.