Should you enable Recursion on your DNS? It’s vulnerable!

Updated on September 3, 2017

Whenever you visit a webpage in the internet, you are using DNS to get its address. Most of you might be aware of what is DNS, and how it works and for others there is a simple tutorial explained by Techglimpse. In case, if you are planning to setup DNS server, then checkout BIND configuration here. One of our regular reader Mr. Shyam sent us a query, What is recursive DNS? and should I enable it?

Ok! Let me give my opinion about Recursive DNS and why you should not enable it?

Before that, we should know what is Recursive requests and Iterative Requests. Recursive requests: Whenever you query a domain, the DNS server will try to find address for the domain in its local cache. If it cannot find, then the query is sent to other DNS servers recursively until the address is found. Once it finds the address, it will respond with the results from each server’s query. This recursive querying is called as Recursive requests.

Iterative requests: The DNS server will try to find the domain in its local cache and if it cannot find the address, it will stop at that point and returns to the requestors as “I couldn’t find the server”.

Disable recursion DNS

Why you should not enable Recursive DNS?

Here’s what fasthosts says about Recursive DNS:

Servers that support this type of request are vulnerable to fake requests from a spoofed IP address (the victim of the attack), the spoofed IP address can get overwhelmed by the number of DNS results it receives and be unable to serve regular internet traffic. This is called an Amplifier attack because this method takes advantage of DNS servers to reflect the attack onto a target while also amplifying the volume of packets sent to the victim.

A consequence of this activity is that third party Network administrators who detect these requests may block your IP addresses.  Your server could even be placed upon DNS blacklists.

Should i turn Off Recursive on my DNS server?

If you turn off recursive lookup on your DNS server, then any such fake requests are treated as iterative DNS query. It will still be a DNS server, but will not assist amplified attacks on a victim.

How to turn off Recursion in Bind?

$vi /etc/named.conf

Under options directive, set recursion no;

options {

.......

recursion no;

........

}

Restart the named service

$/etc/init.d/named restart

or

rndc reload

On windows Server 2012, run the below command in Powershell,

Set-DnsServerRecursion -Enable 0

On Windows server 2003 and 2008, launch the command line and run the below command,

dnscmd <Server name> /Config /NoRecursion 1

You might also want to read : How to enable BIND DNS server logging to monitor queries and for troubleshooting?

Was this article helpful?

Related Articles

Leave a Comment