There are two types of DNS queries: iterative and recursive.
- Iterative DNS queries are ones in which a DNS server is queried and
returns an answer without querying other DNS servers, even if it cannot
provide a definitive answer. Iterative queries are also called
- Recursive DNS queries occur when a DNS client requests information
from a DNS server that is set to query subsequent DNS servers until a
definitive answer is returned to the client. The queries made to
subsequent DNS servers from the first DNS server are iterative queries.
Recursive DNS query risks :
A DNS server that supports recursive resolution is vulnerable to DOS
(denial of service) attacks, DNS cache poisoning, unauthorized use of
resources, and root name server performance degradation.
- DOS attacks
- Servers supporting recursive DNS queries are vulnerable to phony
requests that flood a particular IP address with the results of each
server's query. This can overwhelm the IP address with a volume of
traffic too large to be processed.
- DNS cache poisoning
- Cache poisoning results from someone tricking a DNS server into
believing that a fake DNS query response is authentic. Because
responses are normally cached, this false information can be distributed
to users of that server.
- Unauthorized use of resources
- With recursive DNS queries enabled, a server is more easily hijacked and its performance compromised.
- Root name server performance degradation
- When DNS servers are not configured correctly, queries using RFC1918
addressing (also known as "private" addressing) may be leaked to the
root name servers, causing a degradation in service for legitimate
queries to those servers.