What is Recursive DNS and what role does it play on the web?
The Domain Name System (DNS) helps computers to map a human-readable domain name to an IP address. Computers can make two types of DNS requests to get an IP address: recursive DNS requests and iterative DNS requests.
Let’s start with iterative DNS requests.
When your machine makes an iterative DNS request to a resolving name server, that server first looks into its cache to see if it can return the IP address. If another machine has already made the same request, the resolving name server will have a copy of the IP address in its cache.
If the IP address is not in the cache, the resolving name server responds to your machine’s iterative DNS request saying, “Sorry, I can't find the IP address in my storage, but here is the address to the root name server who can help you with the request.”
Your machine sends a request to the root name server through the resolving name server to get the IP address of the top-level domain (TLD) name server. Next, your machine sends a request to the TLD name server through the resolving name server to get the IP address of the authoritative name server. Your machine finally talks to the authoritative name server through the resolving name server to get the IP address associated with the domain name.
The key thing to note for iterative DNS requests is that the resolving name server passes on your machine’s requests at every step. Every request must originate from your machine. In other words, the resolving name server can only act with your machine’s explicit instruction each and every time.
In a recursive DNS query to a resolving name server, just like in the iterative DNS request, that server checks its cache to see if it has an answer. If the resolving name server does not have an answer, instead of telling your machine which server it should go to next, the resolving name server makes queries to other DNS servers on your machine’s behalf until it finally gets the IP address to pass on to your machine.
The key difference between recursive DNS queries and iterative DNS queries is that in the recursive DNS query, the resolving name server doesn't need your machine’s explicit request each and every time. Instead, your machine authorizes it to make all further necessary DNS queries with the first request.
Recursive DNS requests are very helpful because they shorten the amount of time needed to resolve a domain name’s IP address. Your machine authorizes the resolving name server to make requests on its behalf, and the resolving name server doesn't need to seek your machine’s authorization each and every time. Furthermore, a resolving name server’s cache can resolve a domain name’s IP address very quickly if the information is already cached.
Recursive DNS requests are helpful, but some people have found ways to exploit them. For example, attackers can fool DNS servers into thinking that a recursive DNS request from their machine is coming from yours by spoofing, or faking, your machine’s IP address when making the request. The attackers can command tens of thousands of computers to fake recursive DNS requests, and all the responses go to your machine instead of theirs. The sheer volume of responses can cause your machine to crash or become unresponsive.
Another exploit is when recursive DNS requests are intercepted by attackers who then return the IP address of a malicious website instead of the actual IP address of a domain name. If the malicious IP address enters a popular resolving name server’s cache, the cache is considered “poisoned." Every query to resolve that domain name returns the IP address of the malicious website and thousands of machines could be affected.
Domain Name System. A protocol that resolves names to IP addresses that devices can use to contact other servers.
A way to mask the origin of a source. Used by cybercriminals to impersonate trusted origins.
A service that resolves domain names into network addresses.
A unique location on the internet represented by an alphanumeric address. The two current standards are IPv4 and IPv6.