Frequently Asked Questions

What risks are associated with recursive DNS queries?

Print this Article
Last Updated: April 12, 2013 11:10 PM

There are two types of DNS queries: iterative and recursive.

NOTE: We do not allow recursive DNS to run on dedicated or Virtual Private Servers (VPS) unless it runs locally and for a specific IP range. If we find your server running an improper configuration of recursive DNS, we will exercise our right to suspend your account. The account will remain suspended until arrangements are made to turn off recursive DNS.

Iterative
Iterative DNS queries are ones in which a DNS server is queried and returns an answer without querying other DNS servers, even if it cannot provide a definitive answer. Iterative queries are also called non-recursive queries.
Recursive
Recursive DNS queries occur when a DNS client requests information from a DNS server that is set to query subsequent DNS servers until a definitive answer is returned to the client. The queries made to subsequent DNS servers from the first DNS server are iterative queries.

Recursive DNS query risks

A DNS server that supports recursive resolution is vulnerable to DOS (denial of service) attacks, DNS cache poisoning, unauthorized use of resources, and root name server performance degradation.

DOS attacks
Servers supporting recursive DNS queries are vulnerable to phony requests that flood a particular IP address with the results of each server's query. This can overwhelm the IP address with a volume of traffic too large to be processed.
DNS cache poisoning
Cache poisoning results from someone tricking a DNS server into believing that a fake DNS query response is authentic. Because responses are normally cached, this false information can be distributed to users of that server.
Unauthorized use of resources
With recursive DNS queries enabled, a server is more easily hijacked and its performance compromised.
Root name server performance degradation
When DNS servers are not configured correctly, queries using RFC1918 addressing (also known as "private" addressing) may be leaked to the root name servers, causing a degradation in service for legitimate queries to those servers.

Disabling recursive DNS