pendal1
asked on
do clients make iterative or recursive queries to DNS servers
Hello guys and as always thanks for your time and expertise. Guys, do the clients on the network make iterative or recursive queries to the dns servers. I know on the monitoring tab (dns server properties) you can test the server with iterative or recursive queries. Do clients make the iterative queries and DNS servers make the recursive queries with other DNS servers. And if you could, please give me a brief definition of the two queries. Thanks for your time and input.
That's actually the opposite of how I understand the terminology. From what I understand, queries from DNS clients to DNS servers are generally recursive, rather than iterative. In a recursive query, the client says, "Give me an answer for this, and use whatever resources you have to use to get it." The DNS server, if it doesn't have an answer for the query, then uses iterative queries to find the answer, starting from the root servers and going down the tree according to the referrals it receives. In an iterative query, the server says, "Either give me an answer or tell me where I might be able to get one."
This page gives a decent illustration of the process:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncc_dns_eqhi.mspx?mfr=true
Sure, it says Windows 2000, but DNS is DNS in this case.
This page gives a decent illustration of the process:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncc_dns_eqhi.mspx?mfr=true
Sure, it says Windows 2000, but DNS is DNS in this case.
Horribly confusing terms and badly described in almost every case :)
> From what I understand, queries from DNS clients to DNS servers are
> generally recursive, rather than iterative.
Generally the client will request recursion, unless explicitly told not to.
The Iterative query states do not use Recursion, give me the best answer you can with the intent that the client takes it from there (based on a returned referral).
> The DNS server, if it doesn't have an answer for the query, then uses
> iterative queries to find the answer, starting from the root servers and
> going down the tree according to the referrals it receives
Right, but it's got a Recursive request from the client to do that. Technically it's not an iterative request, even through the server repeats (iterates) when trying to find the answer.
The difficulty comes when you can't see the iterative query in action on the client end. The DNS Resolvers in Windows, and indeed most systems, are Stub Resolvers. They can only work fully with servers that support Recursion.
Chris
I think we're giving the same answer, but from different perspectives. :)
The client sends a recursive query to the server (unless recursion is disabled/not supported/not requested/etc.), and if the server does not have an authoritative answer, it sends an iterative query to a root server, which returns a referral. The server then sends another iterative query to the server specified in the referral, and so on until a non-referral response is received. That response is then returned to the client (and cached on the server), completing the recursive query process.
...Right?
The client sends a recursive query to the server (unless recursion is disabled/not supported/not requested/etc.), and if the server does not have an authoritative answer, it sends an iterative query to a root server, which returns a referral. The server then sends another iterative query to the server specified in the referral, and so on until a non-referral response is received. That response is then returned to the client (and cached on the server), completing the recursive query process.
...Right?
ASKER
OK, I think I have it based on what you gentlemen had to say and the link provided by DRDave242. Let me see if I have this. The client (before anything else I think the resolver on the client checks the local dns cache for the answer) and if none is found the client sends a recursive query to its preferred dns server. (and the recursive query meaning the dns server has to carry through with this query to the end or else return an error message.) The resolver on the dns server will check the zone database and the local cache on the server before making an iterative query to one of the root name servers. This iterative process will continue until an answer is found (or no answer is found) and this answer will be returned to the client.
Followup question: I know disabling recursion on the dns server means the server can't use forwarders or send recursive queries to other dns servers. Does this also prohibit clients from sending recursive queries to dns servers. Right now recursion is enabled on our dns servers which if I'm right means they are open to queries from anyone inside or outside of the company which according to what I read is a security risk. However, others have told me you don't want to disable recursion in an AD enviornment. What do you guys recommend on this subject?
Do clients by default use recursive lookups to dns servers and dns servers use iterative queries to other dns servers. Is that the default and if not what is the default. Thanks for your time and expertise guys.
Followup question: I know disabling recursion on the dns server means the server can't use forwarders or send recursive queries to other dns servers. Does this also prohibit clients from sending recursive queries to dns servers. Right now recursion is enabled on our dns servers which if I'm right means they are open to queries from anyone inside or outside of the company which according to what I read is a security risk. However, others have told me you don't want to disable recursion in an AD enviornment. What do you guys recommend on this subject?
Do clients by default use recursive lookups to dns servers and dns servers use iterative queries to other dns servers. Is that the default and if not what is the default. Thanks for your time and expertise guys.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Dave, thanks for the response. I know dnstuff indicated that our dns servers were open DNS servers and I thought than when recursion was enabled the servers were availabe to queries from outside of our internal network. You're saying recursion means basically the DNS server will take ownership of the query until it gets a postive or negative result for the query. Additionally, our public and internal namespaces our seperate but they are on the same servers.
And Chris or dave, take a look at my previous post and please confirm I seem to understand this process. Additionally, would you guys recommend blocking external queries on the firewall?
On a side note for Chris (and Dave if you're interested), I still haven't had the time to disable dhcp proxy registration and allow only secure upates on our dns servers. There's actually a guy at work who thinks this won't accomplish anything. I told him it will accomplish keeping non-domain members out of our namespace. Furthermore, as we discussed Chris, I want to turn on scavenging on the master dns server and aging on all the zones. I was just surprised that he didn't see the value in doing this.
And Chris or dave, take a look at my previous post and please confirm I seem to understand this process. Additionally, would you guys recommend blocking external queries on the firewall?
On a side note for Chris (and Dave if you're interested), I still haven't had the time to disable dhcp proxy registration and allow only secure upates on our dns servers. There's actually a guy at work who thinks this won't accomplish anything. I told him it will accomplish keeping non-domain members out of our namespace. Furthermore, as we discussed Chris, I want to turn on scavenging on the master dns server and aging on all the zones. I was just surprised that he didn't see the value in doing this.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I agree with everything in Chris-Dent's previous post, which makes this post a bit redundant, but I would like to elaborate a little on one thing he mentioned: Don't block external requests if your servers are supposed to be answering queries to your public namespace, as that'll prevent anyone outside your network from locating your public machines by hostname. He does make a good point, though: there's nothing preventing someone from issuing recursive queries to your servers from the outside, and this could conceivably be used in a DDoS-style attack if someone were motivated to do so. If this were carried out, since the same servers are being used for your public and private DNS, your internal network performance would be degraded, as those servers would be unavailable to quickly respond to internal queries. Add to this the fact that in an AD environment, the internal DNS servers are typically domain controllers, and you could end up with a sluggish mess on your hands. I'm not trying to make you paranoid, as the likelihood of this happening is slim...but nonzero.
ASKER
Thanks guys. Sorry for the delay in my posting. I promise to close this quetion tomorrow. I was gone the whole day. So it seems that if the resolvers on most clients are stub resolvers - then I'm assuming most (unless recursion is not allowed, etc) queries from the clients are recursive. Let me know if I'm wrong there.
I can see our public namespace (with the mx record, etc) being available to external queries but that's handled by our provider. However, our private namespace should not be open so do you guys recommend blocking inbound queries to our private namespace via the firewall. Let me know your recommendations here.
Otherwise I think that's it unless you have any thing you want to add :) Thanks again. You guys and this site are a great resource for those of us learning the ropes.
I can see our public namespace (with the mx record, etc) being available to external queries but that's handled by our provider. However, our private namespace should not be open so do you guys recommend blocking inbound queries to our private namespace via the firewall. Let me know your recommendations here.
Otherwise I think that's it unless you have any thing you want to add :) Thanks again. You guys and this site are a great resource for those of us learning the ropes.
> then I'm assuming most (unless recursion is not allowed, etc) queries from
> the clients are recursive
That would be a fair assumption. You'd have to go a bit out of your way to force the query to be iterative.
> However, our private namespace should not be open so do you guys
> recommend blocking inbound queries to our private namespace via the firewall.
Reading that gives me a perspective shift ;)
I prefer to think of it as "do not allow" rather than blocking. The difference being only that I would have a default rule that blocks, and I just wouldn't go out of my way to grant inbound access to a service like DNS.
Mine is such a subjective statement though, and ultimately I agree with your goal :)
Chris
ASKER
Thanks Chris and Dave. Your time and expertise are greatly appreciated. Hope you'll afford me the opportunity to benefit from your input in the future.
> Guys, do the clients on the network make iterative or recursive queries
> to the dns servers.
Iterative. But you're unlikely to bump into a situation where they actually do. You can make nslookup perform an iterative query by using the "norecurse" option (set norecurse).
In this situation the DNS server will give its best response, without performing a full lookup. If it has an answer in the cache or the zone is authoritative it will give that.
Recursion is how the DNS server uses Root Hints to resolve public requests. At the start of the query it asks the servers responsible for ".", they return a referral saying to ask the TLD (Top Level Domain) servers (e.g. .com). The TLD servers return another referral, this time with more specific DNS servers (e.g. name servers for google.com). The process repeats down the tree until an answer is given (positive or negative).
HTH
Chris