Whenever you connect to a website over the internet, what you are doing is connecting to a server using an IP address. While you can type www.fasthosts.co.uk and reach the website right away, many things are happening in the background.

Since each server on the internet has an IP address made of numbers, it would be incredibly difficult to remember individual IP addresses for each website you want to visit. For that reason, we use a domain name system (DNS) to assign IP addresses to domain names. In our case, fasthosts.co.uk has an IP address of 213.171.195.48, but the DNS translates this for us, so we don’t have to remember that string of numbers.

Your DNS service is provided automatically by your internet service provider (ISP) with home broadband or mobile networks. In the enterprise, your in-house or cloud data centre would likely be used to improve performance. This is the case with Fasthosts Dedicated Servers and Virtual Private Servers (VPS).

In this article, we are going to cover two types of DNS process: recursive DNS and iterative DNS.

Iterative vs recursive DNS

There are two types of DNS query that can be used when performing a lookup.

Recursive DNS

The first is recursive DNS. In this case, your DNS will attempt to find the server IP address associated with the domain name or URL you entered. This initial search occurs within the DNS cache. If the DNS cannot find an associated IP address in its own DNS cache, it will query other local DNS servers first, before expanding to secondary and tertiary backup DNS services. This process will continue until the IP address is found, and then it will be delivered to your client device. The DNS servers queried here are located at the highest level, such as root-level DNS or authoritative DNS servers.

The result is a recurring process to find the IP address, hence the name recursive DNS.

Authoritative DNS

As mentioned above, authoritative DNS servers are located at the highest level during the recursive DNS query process – hence why they are ‘authoritative’. These authoritative DNS servers act as web address directories, storing up-to-date information about IP addresses and domain names. If your DNS can’t find a domain’s associated IP address in its own DNS cache, it will keep expanding its search and eventually request an answer from an authoritative DNS server.

Iterative DNS

Second, we have iterative DNS. In this case, the DNS server will attempt to locate the associated IP address for your query in its DNS cache. If it cannot find this information, it will not ask other DNS servers. Instead, it will return a message stating 'I don’t know, but you could try asking this server'.

This stops any recurring queries from happening and instead forces the connected client to resend the query to another DNS server manually. This is where the name iterative DNS comes from, as the client must iterate on its query rather than the DNS service.

Why should you not use recursive DNS?

Now we understand what recursive DNS and iterative DNS are, we can explain why you should avoid using the former.

With recursive DNS, this prompts the DNS server to send queries to other DNS servers on the network. If an attacker is sending fake requests from a spoofed IP address, they can quickly build a backlog of recursive DNS requests that flood the hosting infrastructure. This is called a DNS amplification attack. The amplification is due to the limited bandwidth used by the attacker, which then gets amplified by the faster speeds on the collective LAN network in which the DNS servers reside.

For example, the broadband internet speed could be 25mbps, but the DNS servers internal network will often have 1000MBPS or more of bandwidth. By triggering recurring requests between the DNS servers, you sidestep the bandwidth limitation of your broadband. This allows attackers to exploit the faster local area network (LAN) speeds used for internal communication by the DNS service, thus flooding and overloading the DNS servers.

This is a problem with open DNS services. An open DNS will accept DNS queries from any external location without verifying that the requestor is trusted. You then have closed DNS. These services only allow recursive DNS requests when it comes from a trusted client. In summary, open DNS services are more susceptible to distributed-denial-of-service (DDoS) attacks than closed DNS services, as they trust all incoming traffic.

Can I disable recursive DNS on my server?

To avoid becoming a victim of recursive DNS abuse, you can disable the function entirely. This will force the server to treat all requests as iterative DNS, thus eliminating the possibility of attackers using this exploit.

This can also protect you from being added to a DNS blacklist, or having your internet traffic blocked by third-party network administrators. As you can imagine, having this traffic blocked will result in network connectivity problems for your own digital services.

When should you use recursive DNS?

There are some good reasons to use recursive DNS, despite the risk it can pose.

First, recursive DNS is typically much faster than iterative DNS. This is due to recursive DNS using a DNS cache for recent queries. When another user asks for the same hostname to be delivered, the result will be pulled from the DNS cache, resulting in much faster delivery of the final answer.

This DNS cache does have limitations, however. Every saved final answer in the DNS cache will have a specified Time To Live (TTL). The TTL is the amount of time that a final answer can be stored in the DNS cache before it must be refreshed with an updated answer from the authoritative DNS server.

In summary, iterative DNS is slower to deliver final answers but is not susceptible to DNS amplification attacks or DNS cache poisoning attempts. While recursive DNS can be significantly faster, the security risks should be considered before use. Is the speed boost worth the risk of having your IP address blocked by third parties, or blacklisted altogether if an attacker exploits your servers?


Start building your web presence with award-winning Fasthosts hosting! Get in touch with sales on 0808 1686 777, or via email at sales@fasthosts.co.uk to get started.