What kind of servers respond to recursive queries

As a result, successful exploitation of an authoritative server could have detrimental effects. The attackers are able to take advantage of the affected domains and impersonate legitimate services. Moreover, in a case where the attackers have control over the zones, even protocols such as DNSSEC, which is ensuring the integrity of the domain names, can be trivially bypassed.

The situation could get even worse if the compromised shared host is also used by a resolver. Attackers are able to redirect not only the affected domain but other third-party services as well, such as search engines, banks, social networks.

The damage could be disproportional and credential theft, fund exfiltration or sensitive user information exposure could occur. The most usual and well-known attack on unsecured resolvers is the "reflection" attack. For this attack to work, a resolver serving requests to anyone open resolver is required. Malicious actors use these open resolvers in order to send a number of queries with a spoofed source IP address that of the target of the attack.

Consequently, the DNS servers respond to the spoofed address and eventually overwhelm it, rendering it unavailable. The ease of execution, as well as the bandwidth multiplication factor small request yields large response , make the attack extremely attractive to malicious parties.

In the case of unified authoritative and recursive DNS servers, protection from this kind of abuse is possible, but requires significantly complex steps, such as the definition of custom views and software-defined ACLs.

On the other hand, in case the two functions are separated, the recursive resolvers can be protected on an ACL level and be accessible only to local users, mitigating the threat. This is a measure against attacks that try to sneak into the contents of the DNS caches and retrieve the domains that have been accessed by end-users.

The principle behind this threat is that a domain that has been accessed by end-users will be present in the DNS cache for a short period of time according to the TTL of the record.

A malicious actor that can get responses to non-recursive queries is essentially able to "snoop" into the cache and its contents.

A use case which can be exploited is that of authoritative DNS servers. The operating principle is to answer these types of queries as they usually originate from recursive resolvers looking for authoritative answers.

The performance of DNS servers has a direct impact on the end-user experience. Thanks a lot for the nice post. Regards, Afzal Ashrafi. System Administrator. Hi Afzal Ashrafi, Thanks for your comment And welcome to slashroot.

Hi, So you are trying to disable recursion completely and still enable your local LAN servers to successfully resolve requests. Dos attacks publicly available dns servers can be targeted by attackers with huge amounts of requests to consume resources DNS amplification attacks if there are hundreds of publicly available dns servers, which accepts recursive queries, an attacker can use all of them to amplify traffic their specified target by sending forged requests to all of them And cache poisoning.

Perfect explanation. Thank you so much for providing such a nice explanation. Thank you Saravanan. First, thanks for this great article! Very useful, easy to understand thanks a lot. Very nice post to understand the DNS cencept thanks sarath could you explaine about Inverse queries as well.

Hi, Big Thanks Bro.. Great Work!! Thanks a lot!! Very Useful!!! Thanks a lott Awesome explanation. Thanks for writing this article. Very good explanation. Wow dude, Permalink Submitted by bajay j. Thanks a lot for this easy and simple explanation of DNS. Really great.

Good explanation.. Directly on the point Really awesome. Excellent explanation. Easy, simple and great explantion Permalink Submitted by Ibrahim N. One of the best DNS queries explanations I've ever came through. Well done. Good Explanation of Recursive and iterative query. Nice explanation.. Your name. More information about text formats. Web page addresses and e-mail addresses turn into links automatically. Lines and paragraphs break automatically.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Today's Most Popular. Archives - 10 comment s. Archives - 0 comment s. Archives - 44 comment s. How are passwords stored in Linux Understanding hashing with shadow utils. Security Notes - 28 comment s.

Most Commented. How Does Traceroute Work and Example's of using traceroute command. Networking - 75 comment s. Archives - 57 comment s. Linux Booting Process: A step by step tutorial for understanding Linux boot sequence. Archives - 41 comment s. Top Rated Articles. How Does Ansible Work? Average: 4. Understanding Object Oriented Programming in Python.

What is UUID used in fstab. OpenStack Tutorial: Getting started with basics of building your own cloud. Jump back to navigation. Be a fan on Facebook. Recent Posts. Archives - 3 years 6 months ago. Add a comment. Active Oldest Votes. The RA bit is the diagnostic test for recursive query support. Improve this answer. Alnitak Alnitak Thanks a lot cjc. I also figured out another method but using dig.

Try to lookup a domain to a nameserver that is non-authorative to the domain. If it doesn't return anything, then it's not responding to recursive queries. Mikko, yes, both dig and host and the now deprecated nslookup are DNS query tools. All of them are sufficient for determining whether a DNS server is allowing recursive queries from your IP address.

Joao Costa Joao Costa 1, 7 7 silver badges 4 4 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password.