Tuesday, April 17, 2012

Recursive DNS

Source: http://unix.stackexchange.com/questions/24383/what-is-a-recursive-dns-query

A recursive DNS query happens when the DNS server you asked for the address of, say, unix.stackexchange.com doesn't know the answer itself, so it has to check with another server.
Normally this is actually how DNS works -- the DNS server of your ISP does not have the entire internet's domain records permanently memorized for obvious reasons, so the following exchange happens under the hood:
You: Hey, browser, show me http://unix.stackexchange.com
Browser: Sure thing! ... Hm. I don't actually know what IP address that is. Hey, OS, can you tell me where to find unix.stackexchange.com?
OS: Sure thing... Hmm. It's not in my own hosts file. Lemme just check my resolver configuration... Hey, ISP's DNS server, can you tell me where to find unix.stackexchange.com ?
ISP's DNS server: Sure thing! ... Hmmm. That one isn't in my list of authoritative domains, and right now I don't have that answer cached. Hey, internet root servers, can you tell me who is authoritative for stackexchange.com ?
Internet Root Servers: Sure thing! According to our records, you want ns1.serverfault.com, ns2.serverfault.com, or ns3.serverfault.com.
ISP's DNS server: Thanks, Internet Root Servers! Hi there, ns2.serverfault.com, can you tell me where to find unix.stackexchange.com ?
ns2.serverfault.com Sure thing! That's address
ISP's DNS server: Great, thanks! OS, the number you're looking for is
OS: Great, thanks! Browser, you need address
Browser: Great, thanks! Okay, calling up the page now.
You: Yay, thanks Browser!
Now bear in mind that there are actually two types of name servers queried here -- authoritative DNS servers (the so called "root" servers that told your ISP's DNS server where to find SE.com's DNS server, and SE.com's authoritative DNS server) and recursing or forwarding DNS servers (your ISP's DNS server).
Normally, the former type is not supposed to respond to recursive queries, especially not from outside their own domain. Smaller ISPs sometimes save on costs by having their primary authoritative name server be the same server as their primary forwarding nameserver, but that's somewhat unsafe policy - especially if you don't configure your server to refuse recursive queries from outside your own IP range.
TL;DR: Recursive queries are part of the way the internet and DNS work, but not all DNS servers should be receiving recursive queries, and when the ones that shouldn't respond do respond you can get problems.

No comments: