In the world of DNS, there are two types of DNS servers, recursion disabled and recursion enabled.

Recursion disabled servers, when asked to resolve a name, will only answer for names that they are authoritative for. It will absolutely refuse to look up a name it does not have authority over and is ideal for when you don’t want it to serve just any query. It isn’t, however, very useful for domains you don’t know about or have authority over.

Recursion enabled servers, when asked to resolve a name, will do a series of queries to figure out exactly what the right IP address for that name is. It generally will start with the root server, which will give it a hint about where to go next, and on down the line until it gets to the final server with the final answer. This is a great deal, because every time you look up a domain, you’re guaranteed to get an answer if it exists in the world. Since you’re always getting the right answer, it’s a great tool for caching answers, so next time someone needs to look up that domain, you aren’t running all over the internet again for the result. This saves time and bandwidth especially on high volume servers. However, there is a danger to allowing just anyone to do this.

Recursive DNS and Security

In most cases, you are not going to want to have a recursion enabled server open to the public. Having one exposed to queries from just anyone can be dangerous for your network, and if not dangerous, very expensive. Some firms, who are dedicated to providing public DNS service, will allow recursion from anyone, but it’s not for the faint of heart.

Recursion , however, is virtually required for someone who is planning on operating an internal DNS server, particularly if responses are going to be cached. Most ISPs will run a series of internal DNS servers who answer recursively for their paying customers, but are hidden from the outside world to control costs and prevent abuse of the network. A common implementation is to put the server(s) behind a firewall, and tell the DNS server to store successful answers to queries for future use.

In the case of DNS servers that are answering authoritatively for a specific set of domains, you are going to want to have recursion disabled. This will allow people who are looking to resolve your domains to do so, without allowing the unscrupulous to use your servers to resolve other DNS queries and sap your network resources. A common implementation of this is to simply indicate (in the configuration for your DNS server) that you wish to disallow recursion, and leave it at that. The good news is that most DNS server platforms now have recursion disallowed by default, so in some cases you will find that you need to do nothing in order to have a server safe from exploitation by recursive lookups.

Recursive DNS and Your Users

When setting up a new DNS server, always keep your intended userbase in mind. A good practice is to have a different DNS server for each role you plan on serving. Internal users get the benefits of recursion and caching, external users get only the answers they need for your own domains, and recursive lookups are denied. Knowing the role the DNS server will serve is critical and will prevent potentially expensive headaches down the road. Trying to mix and match on a single server (particularly when it’s being exposed to the outside world) can be at best confusing for you as an administrator, and at worst, a liability for your whole network.