Knowledgebase: Security and Hack
What is Recursive DNS and why is it not recommended?
Posted by Sean Syed on 14 February 2013 10:58 AM

When you visit a website on the Internet, the computer you use will find the address of the site using a system called DNS. If you are using your home computer to browse the internet, it will request each website address from your Internet Service Provider (ISP).

Dedicated and Virtual Servers are set up to search for this DNS information themselves. This is perfectly normal and is a commonly used feature for office or cloud networks.

There are two types of DNS queries that can be made to your server, which are as follows:

  • Recursive requests: With these requests your server will attempt to find the website in question in its local cache. If it cannot find an answer it will query other DNS servers on your behalf until it finds the address. It will then respond to the original request with the results from each server's query.
  • Iterative requests: With these requests the DNS server will attempt to find the website in question in its local cache. If it cannot find an answer it will not ask other DNS servers but will reply back to the original request with a single “I don’t know, but you could try asking this server” message.

Why are recursive DNS requests not recommended?

Servers that support this type of request are vulnerable to fake requests from a spoofed IP address (the victim of the attack), the spoofed IP address can get overwhelmed by the number of DNS results it receives and be unable to serve regular internet traffic. This is called an Amplifier attack because this method takes advantage of DNS servers to reflect the attack onto a target while also amplifying the volume of packets sent to the victim.

A consequence of this activity is that third party Network administrators who detect these requests may block your IP addresses.  Your server could even be placed upon DNS blacklists.

What happens if I turn off Recursive DNS lookups on my server?

If your server does not enable recursive DNS lookups, it will simply treat any such requests as an iterative DNS inquiry. It will remain as a DNS server, but will no longer be useful to attackers in part of an amplified attack on a victim.

How do I turn off Recursive DNS lookups?

Within the Plesk control panel:

Step 1: Log into your Plesk Control panel and click on Settings in the left hand menu.

Step 2: Click the button marked DNS Recursion Settings.

Step 3: Select Allow for Local requests only and click Set.

This will stop third parties from receiving recursive DNS requests from your server.

For Windows not using the Plesk control panel:

Open the command line and enter the following command:
dnscmd <Server name> /Config /NoRecursion 1

Replacing <Server name> with the name of your server.

(3 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).