Whenever you connect to a website over the internet, what you are doing is connecting to a server using an IP address. While you can type www.fasthosts.co.uk and reach the website right away, many things are happening in the background.

Since each server on the internet has an IP address made of numbers, it would be incredibly difficult to remember individual IP addresses for each website you want to visit. For that reason, we use a domain name system (DNS) to assign IP addresses to domain names. In our case, fasthosts.co.uk has an IP address of 213.171.195.48, but the DNS translates this for us, so we don’t have to remember that string of numbers.

Your DNS service is provided automatically by your internet service provider (ISP) with home broadband or mobile networks. In the enterprise, your in-house or cloud data centre would likely be used to improve performance. This is the case with Fasthosts Dedicated Servers and Virtual Private Servers (VPS).

In this article, we are going to cover two types of DNS process: recursive DNS and iterative DNS. In a recursive DNS lookup, a DNS server automatically communicates with many other DNS servers to hunt down a requested IP address and deliver it to the client. In an iterative DNS lookup, the client must directly communicate with each DNS server to find the right IP address. Learn more below!

Iterative vs recursive DNS

There are two types of DNS query that can be used when performing a DNS lookup.

Recursive DNS

The first is recursive DNS or DNS recursion. In computer science, the term recursion means that a program will repeatedly call itself until a condition is met. This concept is applied to recursive DNS because the DNS server will repeatedly query other DNS servers until the desired IP address is found.

How recursive DNS works

In a recursive DNS lookup, your DNS will attempt to find the server IP address associated with the domain name or URL you entered. This initial search occurs within the DNS cache. If the DNS cannot find an associated IP address in its own DNS cache, it will query other local DNS servers first, before expanding to secondary and tertiary backup DNS services. This process will continue until the IP address is found, and then it will be delivered to your client device. The DNS servers queried here are located at the highest level, such as root-level DNS or authoritative DNS servers.

The result is a recurring process to find the IP address, hence the name recursive DNS.

Authoritative DNS

As mentioned above, authoritative DNS servers are located at the highest level during the recursive DNS query process – hence why they are ‘authoritative’. These authoritative DNS servers act as web address directories, storing up-to-date information about IP addresses and domain names. If your DNS can’t find a domain’s associated IP address in its own DNS cache, it will keep expanding its search and eventually request an answer from an authoritative DNS server.

To learn more about authoritative DNS servers and the entire DNS lookup process, check out our in-depth blog post on what DNS is and how it works.

Iterative DNS

Second, we have iterative DNS. In computer science, the term iteration means that a set of instructions is repeated until a condition is met. When this concept is applied to DNS lookups, it means that the DNS server will keep returning to its original instructions (to query a different server) until the right IP address is found.

How iterative DNS works

In an iterative DNS lookup, the DNS server will attempt to locate the associated IP address for your query in its DNS cache. If it cannot find this information, it will not ask other DNS servers. Instead, it will return a message stating 'I don’t know, but you could try asking this server'.

This stops any recurring queries from happening and instead forces the connected client to resend the query to another DNS server manually. This is where the name iterative DNS comes from, as the client must iterate on its query rather than the DNS service.

What’s the difference between an iterative and recursive DNS query?

The main difference between iterative and recursive DNS is that the client becomes involved in the process in an iterative query, as the DNS server will come back and tell the client the address of the next DNS server in the lookup process so the client can continue it manually. With recursive DNS, all of this is handled automatically and the client doesn’t need to get involved. The DNS server will keep querying other servers until it has an IP address it can deliver back to the client.

Disadvantages of recursive DNS

Now we understand what recursive DNS and iterative DNS are, we can explain why you should avoid using the former.

With recursive DNS or DNS recursion, this prompts the DNS server to send queries to other DNS servers on the network. If an attacker is sending fake requests from a spoofed IP address, they can quickly build a backlog of recursive DNS requests that flood the hosting infrastructure. This is a type of distributed denial-of-service (DDoS) attack called a DNS amplification attack. The amplification is due to the limited bandwidth used by the attacker, which then gets amplified by the faster speeds on the collective local area network (LAN) in which the DNS servers reside.

For example, the broadband internet speed could be 25mbps, but the DNS servers’ internal network will often have 1000MBPS or more of bandwidth. By triggering recurring requests between the DNS servers, you sidestep the bandwidth limitation of your broadband. This allows attackers to exploit the faster LAN speeds used for internal communication by the DNS service, thus flooding and overloading the DNS servers. And because the DNS servers are overloaded, clients cannot retrieve IP addresses and therefore cannot visit affected websites, resulting in a denial of service.

This is a problem with open DNS services. An open DNS will accept DNS queries from any external location without verifying that the requestor is trusted. You then have closed DNS. These services only allow recursive DNS requests when they come from a trusted client. In summary, open DNS services are more susceptible to DDoS attacks than closed DNS services, as they trust all incoming traffic.

How to mitigate a DNS amplification attack

Unfortunately, there aren’t many options when it comes to mitigating this type of DDoS attack. Since the Internet Service Provider (ISP) is overwhelmed by this malicious traffic, often their only recourse is to blackhole all traffic directed to the victim’s IP address, which means both malicious and legitimate traffic will be lost. Sites can also be blacklisted, making them completely inaccessible.

Before it gets to this point, it’s important to set up preventative security measures. One option is to disable recursive DNS on your server so that you aren’t vulnerable to DNS recursion attacks, which we’ll discuss in more detail below. In addition, we’d also recommend choosing a hosting provider that offers DDoS protection. Anti-DDoS systems monitor network traffic to identify normal and suspicious activity, and can use techniques like traffic filtering, rate limiting and IP bans to mitigate threats once they’re spotted.

Can I disable recursive DNS on my server?

To avoid becoming a victim of a DNS recursion attack, you can disable the function entirely. This will force the server to treat all requests as iterative DNS, thus eliminating the possibility of attackers using this exploit.

This can also protect you from being added to a DNS blacklist, or having your internet traffic blocked by third-party network administrators. As you can imagine, having this traffic blocked will result in network connectivity problems for your own digital services.

Advantages of recursive DNS

There are some good reasons to use recursive DNS, despite the risk it can pose.

First, recursive DNS is typically much faster than iterative DNS. This is due to recursive DNS using a DNS cache for recent queries. When another user asks for the same hostname to be delivered, the result will be pulled from the DNS cache, resulting in much faster delivery of the final answer.

This DNS cache does have limitations, however. Every saved final answer in the DNS cache will have a specified Time To Live (TTL). The TTL is the amount of time that a final answer can be stored in the DNS cache before it must be refreshed with an updated answer from the authoritative DNS server.

In summary, iterative DNS is slower to deliver final answers but is not susceptible to DNS amplification attacks or DNS cache poisoning attempts. While recursive DNS can be significantly faster, the security risks should be considered before use. Is the speed boost worth the risk of having your IP address blocked by third parties, or blacklisted altogether if an attacker exploits your servers?


Start building your web presence with award-winning Fasthosts Web Hosting! Get in touch with sales on 0808 1686 777, or via email at sales@fasthosts.co.uk to get started.