Recursive and Iterative Queries

In this Video:
• We will demonstrate the difference between recursive and iterative
queries.
• Discuss the reasons why you may want to disable recursive queries.
• Discuss the effects of disabling recursion.
• Demonstrate how to disable recursive queries
What is a Recursive Query?

• A recursive query is one where the DNS server will take responsibility for a
full answer (name resolution) to a query or give an error.
• A server that sends a recursive query will contact other servers to attempt to
resolve that query.
What is an Iterative Query?

• An iterative query is a query in which the DNS server responds with the best
information (a referral) that it has either from its zone files or its cache.
• A server that sends an iterative query does not attempt to contact other DNS
servers for an answer to obtain a result.
Here is an example of a recursive and an iterative query.

1
 • A DNS resolver (R) is indicated from the PC. The user has typed in the host
name gopro.com into their computers browser. The browser checks the local
cache (1) to see if the IP address of gopro.com is in the computer’s memory, it
is not. The resolver sends a recursive query (2) for the IP address of
gopro.com to the ISP’s DNS server. ISP DNS server looks up the address of
gopro.com in its cache, and does not find it. If it would have found it, it would
have returned the query back to the PC and the transaction would have been
complete.

• The ISP’s DNS resolver (R) sends an iterative query (3) to the root hints
servers. Every DNS server has a root hints file. This file contains the host
names and IP addresses of the root servers on the internet.
• An iterative query is different than a recursive query. An iterative query
works like this. If the DNS server does not know the answer, but has
information that will help resolve the query it will respond back with this
information. The root hints server knows nothing about gopro.com, but it
does know about the next level in the DNS hierarchy the .coms, or TLD (Top
Level Domains), so the root server sends a referral back to the ISP’s resolver
pointing to .com.

• Now that the ISP’s resolver knows about .com. The ISP DNS resolver sends a
new iterative query (4) to the .com asking what is the IP address of
gopro.com. The .com servers won’t have the address for gopro.com but will
know the authoritative name servers for gopro.com.

• Using this information, the ISP DNS server will send a final iterative query
(5) to the DNS authoritative name servers at gopro.com and obtain the IP
address for gopro.com.

• The PC’s browser receives it’s answer to its recursive query and places the
information into its cache and initiates an HTTP session to the IP address
of gopro.com

The whole process took four queries:

1 – A recursive query from the desktop PC (resolver) to the ISP.
2 – A iterative query from the ISP to the root hints servers.
3 – A iterative query from the ISP to the .com servers
4 – A iterative query from the ISP to authority DNS servers at gopro.com

This may seem like a lot of queries for one address but once the process has been
completed each step of the process is now stored in the server’s cache. If the PC user

2
typed microsoft.com into his browser to his local DNS server, the .com would
already be stored in his ISP’s local cache. The ISP does not need to contact a Root
Hints server again. This time the ISP DNS server would contact the .com server to
obtain the authoritative servers for microsoft.com.

Things to Note:
Root servers will only except iterative queries (will only pass on the best
information (a referral) Root servers must be available at all times, so root servers
do not contact other servers for an answer to obtain a result.

This is why caching is used in every step of the process to reduce the time of these
queries.

How to display a computers resolver cache memory.

The display DNS command displays the current resolver cache before the
recursive query.

• Open a command prompt

• Type ipconfig /displaydns
• The resolver cache is displayed

3
The display DNS command displays the current resolver cache after the
recursive query.

• Open your computers internet

browser
• Type google.com
• Re-open a command prompt
• Type ipconfig /displaydns
• Note the difference – More
records are added.

4
 Why Would you choose to turn recursion off?

1. If the DNS server is on a protected secure network. In this case, the DNS
server should never be contacting the internet directly. For this reason,
recursion is disabled for added security.
2. Servers that support recursive queries are vulnerable to fake requests from a
spoofed IP address and can get overwhelmed by the number of DNS results it
receives and be unable to service regular Internet traffic.
3. What happens if I turn off recursive DNS lookups on my server?
If recursive queries are disabled on your server. The server will treat any
such requests as iterative DNS enquiries. It will continue to act as a DNS
server but will no longer be useful to attackers as a victim for a (DDos)
distributed denial of service.
4. Disabling the use of recursion on a DNS server is generally done when DNS
clients are being limited to resolving names to a specific DNS server, such as
one located on your intranet. Recursion might also be disabled when the DNS
server is incapable of resolving external DNS names, and clients are expected
to fail over to another DNS server for resolution of these names. If you
disable recursion on the DNS server, you will not be able to use forwarders on
the same server.

How to disable recursion on a Windows 2016 server.

Open Server Manager, Tools, DNS. Rt. click on the server name, click
properties, advanced. Then check disable recursion. The click ok.

5
Congratulations for getting through this lecture. We hope you found it instructive.

Thanks for watching, and we will see you in the next lecture!