Disabling Recursion (DNS)

Discussion in 'Network Infrastructure' started by zimbo, Aug 1, 2006.

  1. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    just a quick question... what happens when you disable recursion on the Forwarders tab of the DNS server? The MS press book doesnt explain it too well and my google search didnt bring up much either. As far as i understand the book if a query from the local DNS server is forwarded to an upstream DNS server - which is down and recursion is now DISABLE (not the default) - what happens to the query?

    Thanks!

    Edit: sorry the pic is showing the default... what my question refers to if that check box was ticked! :)
     

    Attached Files:

    • dns.JPG
      dns.JPG
      File size:
      37.7 KB
      Views:
      15
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  2. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    bump! :(
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  3. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Going to have to do some digging to answer this one, will post when I find an answer. 8)
     
  4. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    Thanks simon! For those with the MS Press book Its chapter 5 Lesson 1 on page 5-7. If someone could sumarize those three paragraphs for me it would be great!:biggrin

    Thanks!
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  5. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Ok,

    Firstly what is a recursive query? This is when the host asks the DNS server to provide it with a definitive answer to its query, meaning that if the DNS server doesn't know the answer it is the servers responsibility to go and find one.

    When recursion is disabled if the server is not authoritive for that domain, i.e. it is not an address mapping that it is in charge of or has already cached, then the server will not forward on the query. In this situation the server goes back to the client and says "I don't know the answer, try ....."

    The process that follows is Iterative querying, where it is the client itself that goes to different servers for the solution.

    Iterative Querying.

    Hope this helps. 8)
     
  6. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    thanks for that explanation Si. I guess i knew what the process within the hierachy of DNS was but never knew the name.

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  7. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    so if you were to put a tick in that box and the DNS server didnt know the answer it wouldnt ask the forwarder?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  8. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Correct.

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  9. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    :blink so whats the advantage then of disabling recursion if your query wont be resolved in the primary server?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  10. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    In normal circumstances you wouldn't want to disable it, however there may be times when you do not want that DNS server to resolve any queries other than those for which it is authorative, or in other words, those queries in its zone.
     
  11. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    so best pratice is to leave the option like it is so if a forwarder is available it will use it and then send the response back to the primary dns server?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  12. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Bingo!

    Doing that means that the server will cache the query, so that if another host asks for the same info it can answer the query straight away. If you disable the recursion then only the host gets to know the answer meaning the the next host that wants to know has to go through the whole process again.
     
  13. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    Ah good glad thats cleared up!

    Thanks guys!:biggrin
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  14. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Unless I am mistaken there seems to be some confusion here between forwarders and recursion.

    Recursion is the process by which your DNS server passes queries to the Internets *root* servers, there are 13 of them if I remember correctly and they are responsible (authoritative) for the root domains .com etc.

    Forwarders are other DNS servers like your ISPs DNS servers which are not authoritative for the root domains.

    So, if you have enabled forwarders, you are asking those forwarders to do the lookups for you and so I believe you could disable recursion and it would still work.

    If in doubt, try it out :D
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  15. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    the way simon described recursion is similar to the way the book put it or am i missing something?:rolleyes:
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  16. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    zimbo,

    One reason off the top of my head is the security issue of DNS Spoofing. That's where someone types in say http://www.certforums.co.uk and instead of being resolved to the IP address of 216.227.215.97, it is resolved to an IP address of a spoofer's webserver. To you, all you see in your web browser address field is [http://www.certforums.co.uk/forums] and not the actual IP address that you're connected to. So the spoofer's webserver can be setup with a website/webpage that looks identical to the actual website, in this case CertForums, and even have the Username: [ ] and Password: [ ] login fields. This is the exact trick used by spoofers to trick people into giving the spoofer your username and password for the legitimate website. Now, a spoofer with your CF login may not do much havoc, but imagine if it was a spoof of your bank's website? Now a lot of havoc can occur.

    So in summary, for security, it may be better that your DNS server not be able to resolve the domain name for spoofers-r-us.coim (intentional misspelling) by disabling recursion than to let recursion occur so that you are connected to spoofers-r-us.coim .

    I hope this helps.
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  17. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Yes simon is correct, recursion means that if the DNS server doesn't know the answer to the query, it won't just give up and say dunno mate, it will contact the root servers and they will return the name of a DNS server that is authoritative for the next level of the DNS namespace.

    For example, if you are trying to resolve the FQDN sales.microsoft.com your DNS server is not going to have a record for that domain, so it will do a recursive query. It will contact the root servers and one that is responsible for the .com domain will answer the query by saying I don't know the IP address of sales.microsoft.com but I do have an entry for microsoft.com and the IP address of that DNS server is bla bla bla. Your DNS server will then contact microsoft.com and ask for the IP address of sales.microsoft.com and as it is authoritative for that domain it will be able to answer the query.

    Forwarders do all this work for you, if your DNS server is not authoritative for the domain but it is configured to use forwarders, it will query it's forwarders and they will do the lookup process and pass the info back.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.