Home / Blogs

Recursive DNS and You

In the world of DNS, there are two types of DNS servers, recursion disabled and recursion enabled.

Recursion disabled servers, when asked to resolve a name, will only answer for names that they are authoritative for. It will absolutely refuse to look up a name it does not have authority over and is ideal for when you don’t want it to serve just any query. It isn’t, however, very useful for domains you don’t know about or have authority over.

Recursion enabled servers, when asked to resolve a name, will do a series of queries to figure out exactly what the right IP address for that name is. It generally will start with the root server, which will give it a hint about where to go next, and on down the line until it gets to the final server with the final answer. This is a great deal, because every time you look up a domain, you’re guaranteed to get an answer if it exists in the world. Since you’re always getting the right answer, it’s a great tool for caching answers, so next time someone needs to look up that domain, you aren’t running all over the internet again for the result. This saves time and bandwidth especially on high volume servers. However, there is a danger to allowing just anyone to do this.

Recursive DNS and Security

In most cases, you are not going to want to have a recursion enabled server open to the public. Having one exposed to queries from just anyone can be dangerous for your network, and if not dangerous, very expensive. Some firms, who are dedicated to providing public DNS service, will allow recursion from anyone, but it’s not for the faint of heart.

Recursion , however, is virtually required for someone who is planning on operating an internal DNS server, particularly if responses are going to be cached. Most ISPs will run a series of internal DNS servers who answer recursively for their paying customers, but are hidden from the outside world to control costs and prevent abuse of the network. A common implementation is to put the server(s) behind a firewall, and tell the DNS server to store successful answers to queries for future use.

In the case of DNS servers that are answering authoritatively for a specific set of domains, you are going to want to have recursion disabled. This will allow people who are looking to resolve your domains to do so, without allowing the unscrupulous to use your servers to resolve other DNS queries and sap your network resources. A common implementation of this is to simply indicate (in the configuration for your DNS server) that you wish to disallow recursion, and leave it at that. The good news is that most DNS server platforms now have recursion disallowed by default, so in some cases you will find that you need to do nothing in order to have a server safe from exploitation by recursive lookups.

Recursive DNS and Your Users

When setting up a new DNS server, always keep your intended userbase in mind. A good practice is to have a different DNS server for each role you plan on serving. Internal users get the benefits of recursion and caching, external users get only the answers they need for your own domains, and recursive lookups are denied. Knowing the role the DNS server will serve is critical and will prevent potentially expensive headaches down the road. Trying to mix and match on a single server (particularly when it’s being exposed to the outside world) can be at best confusing for you as an administrator, and at worst, a liability for your whole network.

By Kevin Hutchins, Customer Support at DNSstuff.com

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

New TLDs

Sponsored byRadix