What risks are associated with recursive DNS queries?

Root Folder > Dedicated Servers - Windows

There are two types of DNS queries: iterative and recursive.

Iterative
Iterative DNS queries are ones in which a DNS server is queried and returns an answer without querying other DNS servers, even if it cannot provide a definitive answer. Iterative queries are also called non-recursive queries.
Recursive
Recursive DNS queries occur when a DNS client requests information from a DNS server that is set to query subsequent DNS servers until a definitive answer is returned to the client. The queries made to subsequent DNS servers from the first DNS server are iterative queries.

Recursive DNS query risks  :

A DNS server that supports recursive resolution is vulnerable to DOS (denial of service) attacks, DNS cache poisoning, unauthorized use of resources, and root name server performance degradation.

DOS attacks
Servers supporting recursive DNS queries are vulnerable to phony requests that flood a particular IP address with the results of each server's query. This can overwhelm the IP address with a volume of traffic too large to be processed.
DNS cache poisoning
Cache poisoning results from someone tricking a DNS server into believing that a fake DNS query response is authentic. Because responses are normally cached, this false information can be distributed to users of that server.
Unauthorized use of resources
With recursive DNS queries enabled, a server is more easily hijacked and its performance compromised.
Root name server performance degradation
When DNS servers are not configured correctly, queries using RFC1918 addressing (also known as "private" addressing) may be leaked to the root name servers, causing a degradation in service for legitimate queries to those servers.


Add Feedback