difference between iterative and recursive dns query

Sarath Pillai's picture
iterative vs recursive dns

DNS is the most critical infrastructure, that's publicly available for use to everybody out there. You can infact say that, its a single point of failure, that can take down the world wide web.

I have tried to explain the working of DNS in one of my post. However, its impossible to conclude the entire topic, in one or even multiple posts for that matter. So i will be posting, different topics related to DNS, separately for giving a better understanding to the reader.

Read: How Does DNS Work

In this post, we will walk through different types of queries that a client uses to get different types of information from the DNS server.

What are the different types of DNS queries?

DNS queries can be classified according the manner in which a complete request is processed. Generally queries can be classified as follows.

  1. recursive query
  2. iterative query OR Nonrecursive query
  3. Inverse queries

 

What is a recursive query?

A recursive query is a kind of query, in which the DNS server, who received your query will do all the job of fetching the answer, and giving it back to you. During this process, the DNS server might also query other DNS server's in the internet on your behalf, for the answer.

Lets understand the entire process of recursive queries by the following steps.

Suppose you want to browse www.example.com, and your resolve.conf file has got the following entry.

[root@myvm ~]# cat /etc/resolv.conf
nameserver 172.16.200.30
nameserver 172.16.200.31
 
The above resolve conf entry means that,Your DNS servers are 172.16.200.30 & 31. Whatever application you use, the operating system will send DNS queries to those two DNS servers.
STEP 1: You enter www.example.com in the browser. So the operating system's resolver will send a DNS query for the A record to the DNS server 172.16.200.30 .
 
STEP2: The DNS server 172.16.200.30 on receiving the query, will look through its tables(cache) to find the IP address(A record) for the domain www.example.com. But it does not have the entry.
 
STEP 3: As the answer for the query is not available with the DNS server 172.16.200.30, this server sends a query to one of the DNS root server,for the answer. Now an important fact to note here is that root server's are always iterative servers.
 
 
 
 
STEP 4: The dns root server's will reply with a list of server's (referral) that are responsible for handling the .COM gTLD's.
 
STEP 5:  Our DNS server 172.16.200.30 will select one of the .COM gTLD server from the list given by the root server, to query the answer for "www.example.com"
 
STEP 6: Similar to the root server's , the gTLD server's are also iterative in nature, so it replies back to our DNS server 172.16.200.30 with the list of IP addresses of the DNS server's responsible for the domain(authoritative name server for the domain) www.example.com.
 
 
 
 
STEP 7: This time also our DNS server will select one of the IP from the given list of authoritative name servers, and queries the A record for www.example.com. The authoritative name server queried, will reply back with the A record as below.
 
www.example.com = <XXX:XX:XX:XX> (Some IP address)
 
STEP 8: Our DNS server 172.16.200.30 will reply us back with the ip domain pair(and any other resource if available). Now the browser will send request to the ip given, for the web page www.example.com.
 
Below shown diagram might make the concept clear.
 
 
As you can see from the above figure. Our DNS server(172.16.200.30) queries through other dns server's on behalf of us.
Note: The above explained scenario of recursive query happened, only because, our DNS server 172.16.200.30 was configured as a recursive name server. You can also disable this feature for your DNS server.
 

How does the name server select one from the given list of servers to query?

In the above case, you might have seen that our DNS server 172.16.200.30, had to select one server, from the given list of servers to query, multiple times.

For example there are 13 root servers(Well when i say 13 root servers, 13 is the number of addresses that is universal. There are Hundreds of servers at different locations in the world. These 13 root server addresses are anycasted addresses.), which root server will be queried, for an answer?

 

Related: What is IP Anycast, and how it works?

 

Almost all DNS server's uses an algorithm, to select one from the list, in order to distribute the load and response time.

The most Famous DNS server software BIND uses a technique called as rtt metric(Round Trip Time metric). Using this technique, the server tracks the RTT of each root server, and selects the one,with lower RTT.

 

What is an iterative or Non-recursive query?

Before beginning the explanation for iterative query. An important thing to note is that, all DNS server's must support iterative(non-recursive)query.

In an iterative query, the name server, will not go and fetch the complete answer for your query, but will give back a referral to other DNS server's, which might have the answer. In our previous example our DNS server 172.16.200.30, went to fetch the answer on behalf of our resolver, and provided us with the final answer.

But if our DNS server 172.16.200.30 is not a recursive name server(which means its iterative), it will give us the answer if it has in its records. Otherwise will give us the referral to the root servers(it will not query the root server's and other servers by itself.).

Now its the job of our resolver to query the root server, .COM TLD servers, and authoritative name server's, for the answer.

Lets go through the steps involved.

STEP 1: You enter www.example.com in the browser. So the operating system's resolver will send a DNS query for the A record to the DNS server 172.16.200.30 .

STEP 2: The DNS server 172.16.200.30 on receiving the query, will look through its tables(cache) to find the IP address(A record) for the domain www.example.com. But it does not have the entry.

STEP 3: Now instead of querying the root server's, our DNS server will reply us back with a referral to root servers. Now our operating system resolver, will query the root servers for the answer.

Now the rest of the steps are all the same. The only difference in iterative query is that

  • if the DNS server does not have the answer, it will not query any other server for the answer, but rather it will reply with the referral to DNS root server's
  • But if the DNS server has the answer, it will give back the answer(which is same in both iterative and recursive queries)
  • in an iterative query, the job of finding the answer(from the given referral), lies to the local operating system resolver.

 

It can be clearly noted from the above figure, that in an iterative query, a DNS server queried will never go and fetch the answer for you(but will give you the answer if it already has the answer). But will give your resolver a referral to other DNS server's(root server in our case).

We will be discussing inverse queries in another post. Hope this post was helpful in understanding iterative(non-recursive) & recursive DNS queries.

 

 

Rate this article: 
Average: 4.9 (53 votes)

Comments

Very good artical explaning minute details regarding DNS queries and clearling all doubts .

Thanks a ton

Very good and nicely explained article on DNS queries with proper steps and diagrams made my day.

Thanks a lot.

It is a very good article. Bu tell me examples for resolvers under debian. I mean the last diagram where the resolver get a list of DNS and tries to query the DNS by yourself.
Is it a service? How can I find if it is running on my system?

Sarath Pillai's picture

Hi bbo,

We are happy to know that you liked the article. Resolver libraries in Linux are almost the same across distributions.
However udns library is the most commonly used while running commands such as "host"(the udns library is aviailable online for download.)

Regards
Sarath

Very good article about DNS, thnx

Great work!!!!!!

Hi Sir,
Very good documentation. what is advantage & disadvantage of both queries,which is one best &why? will iterative queries decrease load of DNS server? I am confuse. Both queries gives surely answer then what is advantages & disadvantages?

Sarath Pillai's picture

Hi Rupesh, Good to know that you liked the article. And a warm welcome to slashroot!! Lets get back to your question ! Recursive queries: these kind of queries are used most commonly when we set up an internal DNS server for a domain, or say for example a company. The client computers or say normal desktops that the employees are using in the company on a day to day basis generate huge amount of DNS requests. So those servers are mostly configured in recursive manner( because the question is asked by desktops which are normal internal clients ) and we need to provide our clients with an exact answer to the query correct. Another important fact to note about recursive queries is that you need to very carefully restrict which clients/subnets that are allowed to do a recursive query. You know why ? Because there is a dangerous risk involved if you configure publicly available DNS servers in a recursive model. Now lets say we have around 1 lakh DNS servers in the world which are available publicly and are able to do recursive queries, an attacker can change the source address to the target of his desire, and send junk DNS requests to those publicly available DNS servers which will cause the target server to be under attack ( because these 1 lakh servers will sit and reply to that incorrect source address, which the attacker forged to make it the target ). Such kind of an attack is called as DNS reflection attack !!! All authoritative name servers, root name servers, TLD servers are always iterative in nature ( ofcourse these servers are not made to go and fetch the answer for a query correct ! ) Hope that explains. Thanks & regards Sarath

This is the simplest way to explain the differences of DNS query were as i have read the others post and their is lots of confusion to understand the actual concepts of DNS query hows it resolves but you have explain it thorougly which is very useful.

Thanks a lot for the nice post.

Regards,

Afzal Ashrafi.

System Administrator.

Sarath Pillai's picture

Hi Afzal Ashrafi,

Thanks for your comment....And welcome to slashroot.

Greate explanation I was confused about iterative and recursive queries it helped me alot. thanks

One of our clients requests that we have a local DNS server on our linux host and this DNS server should be iterative, not recursive. So I left in the resolv.conf the only single string "nameserver 127.0.0.1" and insttalled bind. In the options section of named.cond I have "allow-recursion { 127.0.0.1; };" and in this case all works fine. But when I disable recursion completely (according to client's requierements) by removing "allow-recursion { 127.0.0.1; };" and adding instead "recursion no;" all the applications on the host cannot resolve anything, saying "unknown host" (not surprisingly though).

So the question is how to switch properly named from recursive to iterative mode and to preserve the linux resolver's ability of resolving any hostnames from local applications?

Sarath Pillai's picture

Hi,

So you are trying to disable recursion completely and still enable your local LAN servers to successfully resolve requests. Unfortunately fullfilling your requirement with any BIND name server package later than version 9.5+ is not possible. This is because bind version later to 9.5+ are now not replying with a referral to DNS root servers for queries which it does not have an answer.

    (even when recursion no; was specified) would return a referral to the root servers (since these would, most likely, be available in the cache). Since BIND 9.5+ such queries are now failed with REFUSED status

So try using an older version of bind (probably 9.4 or something) if you really need that feature.

I would like to make one more point here. Why dont you allow recursion for your local intranet or say trusted hosts with an argument like allow-recursion. Basically the idea behind disabling recursion is due to the following reasons.

  • Dos attacks (publicly available dns servers can be targeted by attackers with huge amounts of requests to consume resources)
  • DNS amplification attacks(if there are hundreds of publicly available dns servers, which accepts recursive queries, an attacker can use all of them to amplify traffic their specified target by sending forged requests to all of them)
  • And cache poisoning.

But yeah if your dns server is not a publicly available one, then these threats are not on your radar. But yeah its better to make your dns server do recursive queries for your trusted subnets. Hope that answers your question.

Regards

Sarath

very clear and concise. Thank you

It's very very great to see your post because i doubt the recursive and the iterative dns for long time. Thank you

Perfect explanation. Thank you so much for providing such a nice explanation. :)

I would like to thank you for serving the people who are all in the complicated
situation in understanding the concepts in depth. this helps not only me but for all the basic networking learners, because DNS is very important for every thing.

Thank you
Saravanan

thanks sir.... wonderful answer.......

First, thanks for this great article!

A question regarding iterative lookup: How will our configured (iterative) DNS server populate its cache if the resolver is responsible for doing the queries against the root DNS servers, TLD servers and the authoritative name servers?

From the article it seems like our iterative DNS server never "sees" the A records returned from the authoritative name servers, since the resolver does the query itself. Any help/clarification is highly appreciated.

awesome explanation which is in very easy terms ..which can be understand by a newbie

understood clearly :) keep the good work going :) :)

awesome explanation, very useful and easy to understand for beginners

Very useful, easy to understand thanks a lot.

Very nice post to understand the DNS cencept thanks sarath

could you explaine about Inverse queries as well

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.