What is a "recursive DNS query"?

Question

Can someone explain in short what "recursive DNS query" means and how it can be considered bad?

Answer 1

TL;DR: Recursive queries are part of the way the internet and DNS work, but not all DNS servers should be receiving recursive queries, and when the ones that shouldn't respond do respond you can get problems.

Longer version:

Recursion, n: See under Recursion.

A recursive DNS query happens when the DNS server you asked for the address of, say, unix.stackexchange.com doesn't know the answer itself, so it has to check with another server.

Normally this is actually how DNS works -- the DNS server of your ISP does not have the entire internet's domain records permanently memorized for obvious reasons, so the following exchange happens under the hood:

1. You: Hey, browser, show me http://unix.stackexchange.com

2. Browser: Sure thing! ... Hm. I don't actually know what IP address that is.

   Hey, OS, can you tell me where to find unix.stackexchange.com?

3. OS: Sure thing...

   Hmm. It's not in my own hosts file. Lemme just check my resolver configuration...

   Hey, ISP's DNS server, can you tell me where to find unix.stackexchange.com?

4. ISP's DNS server: Sure thing!

   ... Hmmm. That one isn't in my list of authoritative domains, and right now I don't have that answer cached.

   Hey, internet root servers, can you tell me who is authoritative for stackexchange.com?

5. Internet Root Servers: Sure thing! According to our records, you want ns1.serverfault.com, ns2.serverfault.com, or ns3.serverfault.com.

6. ISP's DNS server: Thanks, Internet Root Servers!

   Hi there, ns2.serverfault.com, can you tell me where to find unix.stackexchange.com?

7. ns2.serverfault.com: Sure thing! That's address 64.34.119.12

8. ISP's DNS server: Great, thanks!

   OS, the number you're looking for is 64.34.119.12.

9. OS: Great, thanks!

   Browser, you need address 64.34.119.12

10. Browser: Great, thanks!

    Okay, calling up the page now.

11. You: Yay, thanks Browser!

Now bear in mind that there are actually two types of name servers queried here -- authoritative DNS servers (the so called "root" servers that told your ISP's DNS server where to find SE.com's DNS server, and SE.com's authoritative DNS server) and recursing or forwarding DNS servers (your ISP's DNS server).

Normally, the former type is not supposed to respond to recursive queries, especially not from outside their own domain. Smaller ISPs sometimes save on costs by having their primary authoritative name server be the same server as their primary forwarding nameserver, but that's somewhat unsafe policy - especially if you don't configure your server to refuse recursive queries from outside your own IP range.

Further reading here on Wikipedia.

Answer 2

If there are 2 DNS servers, DNS-A is the authority for domain-a, and DNS-B is the authority for domain-b, and someone sends a DNS query to DNS-A for a lookup of domain-b. DNS-A would then be recursing by sending a request to DNS-B in order to lookup domain-b. Essentially, a recursive query is when a DNS server, on behalf of the client that sent the query, chase the trail of DNS in order to fulfill the request.

This is fine if you are hosting a DNS server for a network, like an office and all the machines in that office will use the DNS server to do all lookups. This is bad if you are allowing anyone to do DNS recursive queries. This is also bad if you are hosting a DNS server that is only supposed to fulfill requests for a certain domain. If someone requests a lookup for another domain, the DNS server should return an error instead of doing recursion.