What is Recursive DNS and why is it not recommended?

When you visit a website on the Internet, the computer you use will find the address of the site using a system called DNS. If you are using your home computer to browse the internet, it will request each website address from your Internet Service Provider (ISP).

Dedicated and Virtual Servers are set up to search for this DNS information themselves. This is perfectly normal and is a commonly used feature for office or cloud networks.

There are two types of DNS queries that can be made to your server, which are as follows:

    Recursive requests: With these requests your server will attempt to find the website in question in its local cache. If it cannot find an answer it will query other DNS servers on your behalf until it finds the address. It will then respond to the original request with the results from each server's query.
    Iterative requests: With these requests the DNS server will attempt to find the website in question in its local cache. If it cannot find an answer it will not ask other DNS servers but will reply back to the original request with a single “I don’t know, but you could try asking this server” message.

Why are recursive DNS requests not recommended?

Servers that support this type of request are vulnerable to fake requests from a spoofed IP address (the victim of the attack), the spoofed IP address can get overwhelmed by the number of DNS results it receives and be unable to serve regular internet traffic. This is called an Amplifier attack because this method takes advantage of DNS servers to reflect the attack onto a target while also amplifying the volume of packets sent to the victim.

A consequence of this activity is that third party Network administrators who detect these requests may block your IP addresses.  Your server could even be placed upon DNS blacklists.
What happens if I turn off Recursive DNS lookups on my server?

If your server doesn't enable recursive DNS lookups, it will simply treat any such requests as an iterative DNS enquiry. It will continue to act as a DNS server, but will no longer be useful to attackers in part of an amplified attack on a victim.
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Can I view my site even though my domain's name servers haven't propagated yet?

Yes http://youriphere/~yourusernamehere/Your IP is located in your welcome email. Please also...

Domain Propagation Time

Once you make changes to your domain with the registrar you purchased your domain from, the...

How do I change my DNS or name servers?

If you purchased your domain from AGMWebHosting, then you can manage it online. If you did NOT...

How to choose a domain name?

Selecting the right domain name is very important. The following tips will aid you in selecting...

I bought my domain from AGMWebHosting, how do I make DNS changes?

If you bought your domain from us at time of signup, we will automatically do the DNS changes for...