Prestazioni e affidabilità
CDN DNS Argo Smart Routing Bilanciamento del carico URL reale AMP Ottimizzazioni Web Reti cinesi
Streaming e consegna video
Cloudflare Stream Diffusione di contenuti in streaming
Sicurezza avanzata
Transizione magica Protezione dagli attacchi DDoS WAF Gestione dei bot Rate Limiting SSL/TLS DNSSEC Cloudflare Access Cloudflare Spectrum Argo Tunnel
Approfondimenti
Analytics Log di Cloudflare
Cloudflare per sviluppatori
Cloudflare Workers Cloudflare Workers KV Mobile SDK
Registrazione del dominio
Cloudflare Registrar
Marketplace di Cloudflare
App Cloudflare
Cloudflare per tutti
1.1.1.1
Prestazioni
Accelerare le applicazioni Internet Accelerare le esperienze su dispositivi mobili Assicura la disponibilità delle applicazioni
Sicurezza
Mitigazione degli attacchi DDoS Previeni la violazione dei dati dei clienti Blocca l'abuso di bot dannosi
Settori
Gaming SaaS eCommerce Media e intrattenimento Settore pubblico Gruppi di interesse pubblico Governo locale e statale
Partnership
Programma per partner
Partner di Soluzioni
Programma di servizi
Partner tecnologici
Portale di Peering Bandwidth Alliance Partner di analytics
Integrazioni
IBM Cloud WordPress Google Cloud Magento Acquia Rackspace Microsoft Azure Kubernetes Motore WP
Sviluppo
Guida API Centro sviluppatori Fondo per sviluppatori Documentazione
Esplora
Case study Analisti Cloudflare in Cina Mappa di rete Webinar Qual’è la novità? White paper GDPR
Informazioni
Area risorse DDoS Area risorse CDN Area risorse DNS Area risorse sicurezza Area risorse prestazioni Centro di apprendimento senza server Area risorse SSL Area risorse Bots Area risorse Cloud
Connettere
Blog Contatta il reparto Vendite Community Supporto
Contatti
+1 650 319 8930
Configurazione Cloudflare avanzata
Esplora l’API Cloudflare v4 Esporre un tunnel locale sicuro Configurare con Terraform Documentazione
Personalizzare le dimensioni
Personalizzare l’uso di workers Modificare le intestazioni Instradamento condizionale della richiesta Test A/B Sfogliare tutti i frammenti di codice
Creazione di app serverless
Distribuire utilizzando Workers.dev Primi passi con le Esercitazioni Esempi di cloni su GitHub

What Is Recursive DNS?

In DNS lookups, which match domain names to machine-readable IP addresses, the journey up the DNS tree can either be made by a DNS server or a client.

Share facebook icon linkedin icon twitter icon email icon
What is DNS?
What is 1.1.1.1?
DNS Security
DNS Server Types
DNS Records
DNS Glossary of Terms

Recursive DNS

Obiettivi di apprendimento

Dopo aver letto questo articolo sarai in grado di:

  • Define recursive DNS
  • Differentiate between a recursive and an iterative DNS query
  • Understand the advantages and risks associated with recursive DNS queries

Argomenti correlati

DNS Security

Reverse DNS

What is DNS?

What's a DNS Server?

Round-Robin DNS

What is recursive DNS?

A recursive DNS lookup is where one DNS server communicates with several other DNS servers to hunt down an IP address and return it to the client. This is in contrast to an iterative DNS query, where the client communicates directly with each DNS server involved in the lookup. While this is a very technical definition, a closer look at the DNS system and the difference between recursion and iteration should help clear things up.

What is a DNS server?

Whenever a user types a domain name (such as ‘cloudflare.com’) into their browser window, this triggers a DNS lookup. A series of remote computers known as DNS servers then find the IP address for that domain and return it to the user’s computer so that they can access the correct website.

Several different types of DNS servers must work in conjunction to complete a DNS lookup. A DNS resolver, DNS root server, DNS TLD server, and DNS authoritative nameserver must all provide information to complete the lookup. In the case of caching, one of these servers may have saved the answer to a query during a previous lookup, and can then deliver it from memory.

For more on how a DNS lookup works, see What is a DNS Server?

What is the difference between recursion and iteration?

Recursion and iteration are computer science terms that describe two different methods to solve a problem. In recursion, a program repeatedly calls itself until a condition is met, while in iteration, a set of instructions is repeated until a condition is met. This subtle difference is hard to illustrate without getting into code, but the key takeaway is that recursion is a solution that repeatedly calls upon itself.

For example, imagine that Jim lost his keys at home and is looking for a systematic way to find them. A recursive solution would be for Jim to keep looking for his keys until he finds them. Jim will start looking, and if he doesn’t find his keys, he will return to his original instruction to keep looking until he finds them. An iterative solution would be for Jim to to search one room for five minutes, then go back to his instructions and search the next room for five minutes, and continue this cycle until he either finds his keys or has gone through the entire list of rooms to search.

A deep understanding of recursion and iteration isn’t necessary to comprehend the difference between recursive and iterative DNS lookups: In a recursive lookup, a DNS server does the recursion and continues querying other DNS servers until it has an IP address to return to the client (often a user’s operating system). In an iterative DNS query, each DNS query responds directly to the client with an address for another DNS server to ask, and the client continues querying DNS servers until one of them responds with the correct IP address for the given domain.

Put another way, the client does a form of delegation in a recursive DNS query. It tells the DNS resolver, “Hey, I need the IP address for this domain, please hunt it down and don’t get back to me until you have it.” Meanwhile, in an iterative query, the client tells the DNS resolver, “Hey, I need the IP address for this domain. Please let me know the address of the next DNS server in the lookup process so I can look it up myself.”

What are the advantages of recursive DNS?

Recursive DNS queries generally tend to resolve faster than iterative queries. This is due to caching. A recursive DNS server caches the final answer to every query it performs and saves that final answer for a certain amount of time (known as the Time-To-Live).

When a recursive resolver receives a query for an IP address it already has in its cache, it can rapidly provide the cached answer to the client without communicating with any other DNS servers. Quickly serving responses from the cache is very likely if a) the DNS server serves a lot of clients and/or b) the requested website is very popular.

What are the disadvantages of recursive DNS?

Unfortunately, allowing recursive DNS queries on open DNS servers creates a security vulnerability, as this configuration can enable attackers to perform DNS amplification attacks and DNS cache poisoning.

Recursive DNS servers and DNS amplification attacks

In a DNS amplification attack, an attacker typically uses a group of machines (known as a botnet) to send a high volume of DNS queries using a spoofed IP address. A spoofed IP address is like a forged return address; the attacker is sending requests from their own IP, but asking for the responses to go to the victim. In order to exacerbate the attack, the attacker also uses a technique called amplification, in which the spoofed request asks for a very long response. The victimized service will receive a flood of lengthy and unwanted DNS responses that can disrupt or even take down their servers. This is a type of DDoS attack.

This is kind of like a group of teenage pranksters calling a pizza place and each ordering a dozen pizzas. Instead of giving their own address for delivery, they give the address of an unsuspecting neighbor. The victim, who then receives a stream of large and unwanted pizza deliveries, will likely experience a lot of disruption in their day.

A DNS server that accepts recursive queries is needed to carry out this kind of attack, because the amplified DNS packets are responses to recursive DNS queries.

Recursive DNS servers and DNS cache poisoning attacks

In a DNS cache poisoning attack, when a recursive DNS server requests an IP address from another DNS server, an attacker intercepts the request and gives a fake response, which is often the IP address for a malicious website. Not only does the recursive DNS server send the original client this IP address, but the server will also save the response in its cache. Any user that requests an IP for the same domain name will be sent to the malicious website. If it’s a popular domain name and a popular DNS resolver, this attack could affect thousands of users.

In an iterative DNS query, the client directly asks each DNS server for the answer. Even if an attacker is able to send a forged response to the query, it will only affect a single client, which is generally not worth the attacker’s time.

How to support DNS queries that are both fast and secure

Cloudflare’s managed DNS service generally resolves DNS queries faster than competitors' DNS or public DNS. Additionally, Cloudflare DNS supports DNSSEC, a stringent security protocol designed to keep DNS servers and queries safe.

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.