DNS Protocol – Recursive and Non-Recursive Queries

  DNS, DNS Protocols, DNS Theory

When sending a query to a DNS server, it is possible to state in the header whether the requester wishes to perform a so-called recursive query. This means that if the DNS server itself does not know the answer (it is not authoritative for the domain we are asking for), it runs a standard response lookup algorithm (i.e. starts at the root DNS servers and proceeds to lower levels to the destination) and sends the final result to the requester. However, it depends on the server whether it actually executes the recursive query. It can reject it and send the client only a response they knows themselves. If it doesn’t even know part of the answer, it often sends back a list of root DNS servers (telling us where to start looking).

The rule should be that authoritative DNS servers do not perform recursive queries and only take care of their main task, to provide authoritative data about their fixed list of domains and their records. Conversely, caching DNS servers must inherently perform recursive queries.

Combining an authoritative and caching DNS server on one machine is a bad idea because it can cause problems. Imagine the domain “xyz.cz”, which has an authoritative server “ns.abc.cz” and we also use this server for caching, so it provides us with access to the entire DNS system on the Internet. If it happens that the domain “xyz.cz” changes its authoritative DNS servers, so the DNS servers of the “cz” domain delegate it elsewhere than to “ns.abc.cz”, and the administrator of the server “ns.abc.cz” forgets to delete this zone on the server (or they do not know about the change of the situation at all) and we ask about domain “xyz.cz”, we will get an answer from “ns.abc.cz”, which not only may not be true, but also pretends to be authoritative. This is because the server “ns.abc.cz” is still configured as authoritative for this domain and does not verify the validity of the delegation of this domain to itself. This problem does not occur with strict separation of authoritative and caching DNS servers.

Was this tutorial useful to you?