What is Recursive DNS and why is it not recommended?
Posted by Sean Syed on 14 February 2013 10:58 AM
When you visit a website on the Internet, the computer you use will find the address of the site using a system called DNS. If you are using your home computer to browse the internet, it will request each website address from your Internet Service Provider (ISP).
Dedicated and Virtual Servers are set up to search for this DNS information themselves. This is perfectly normal and is a commonly used feature for office or cloud networks.
There are two types of DNS queries that can be made to your server, which are as follows:
Why are recursive DNS requests not recommended?
Servers that support this type of request are vulnerable to fake requests from a spoofed IP address (the victim of the attack), the spoofed IP address can get overwhelmed by the number of DNS results it receives and be unable to serve regular internet traffic. This is called an Amplifier attack because this method takes advantage of DNS servers to reflect the attack onto a target while also amplifying the volume of packets sent to the victim.
A consequence of this activity is that third party Network administrators who detect these requests may block your IP addresses. Your server could even be placed upon DNS blacklists.
What happens if I turn off Recursive DNS lookups on my server?
If your server does not enable recursive DNS lookups, it will simply treat any such requests as an iterative DNS inquiry. It will remain as a DNS server, but will no longer be useful to attackers in part of an amplified attack on a victim.
How do I turn off Recursive DNS lookups?
Within the Plesk control panel:
Step 1: Log into your Plesk Control panel and click on Settings in the left hand menu.
Step 2: Click the button marked DNS Recursion Settings.
Step 3: Select Allow for Local requests only and click Set.
This will stop third parties from receiving recursive DNS requests from your server.
For Windows not using the Plesk control panel:
Open the command line and enter the following command:
Replacing <Server name> with the name of your server.