Solved

do clients make iterative or recursive queries to DNS servers

Posted on 2008-06-10
12
1,458 Views
Last Modified: 2010-04-21
Hello guys and as always thanks for your time and expertise.  Guys, do the clients on the network make iterative or recursive queries to the dns servers.  I know on the monitoring tab (dns server properties) you can test the server with iterative or recursive queries.  Do clients make the iterative queries and DNS servers make the recursive queries with other DNS servers.  And if you could, please give me a brief definition of the two queries.  Thanks for your time and input.
0
Comment
Question by:pendal1
  • 4
  • 4
  • 4
12 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21757791

> Guys, do the clients on the network make iterative or recursive queries
> to the dns servers.

Iterative. But you're unlikely to bump into a situation where they actually do. You can make nslookup perform an iterative query by using the "norecurse" option (set norecurse).

In this situation the DNS server will give its best response, without performing a full lookup. If it has an answer in the cache or the zone is authoritative it will give that.

Recursion is how the DNS server uses Root Hints to resolve public requests. At the start of the query it asks the servers responsible for ".", they return a referral saying to ask the TLD (Top Level Domain) servers (e.g. .com). The TLD servers return another referral, this time with more specific DNS servers (e.g. name servers for google.com). The process repeats down the tree until an answer is given (positive or negative).

HTH

Chris
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 21761146
That's actually the opposite of how I understand the terminology.  From what I understand, queries from DNS clients to DNS servers are generally recursive, rather than iterative.  In a recursive query, the client says, "Give me an answer for this, and use whatever resources you have to use to get it."  The DNS server, if it doesn't have an answer for the query, then uses iterative queries to find the answer, starting from the root servers and going down the tree according to the referrals it receives.  In an iterative query, the server says, "Either give me an answer or tell me where I might be able to get one."

This page gives a decent illustration of the process:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncc_dns_eqhi.mspx?mfr=true

Sure, it says Windows 2000, but DNS is DNS in this case.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21761354

Horribly confusing terms and badly described in almost every case :)

> From what I understand, queries from DNS clients to DNS servers are
> generally recursive, rather than iterative.

Generally the client will request recursion, unless explicitly told not to.

The Iterative query states do not use Recursion, give me the best answer you can with the intent that the client takes it from there (based on a returned referral).

> The DNS server, if it doesn't have an answer for the query, then uses
> iterative queries to find the answer, starting from the root servers and
> going down the tree according to the referrals it receives

Right, but it's got a Recursive request from the client to do that. Technically it's not an iterative request, even through the server repeats (iterates) when trying to find the answer.

The difficulty comes when you can't see the iterative query in action on the client end. The DNS Resolvers in Windows, and indeed most systems, are Stub Resolvers. They can only work fully with servers that support Recursion.

Chris
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 21761538
I think we're giving the same answer, but from different perspectives.  :)

The client sends a recursive query to the server (unless recursion is disabled/not supported/not requested/etc.), and if the server does not have an authoritative answer, it sends an iterative query to a root server, which returns a referral.  The server then sends another iterative query to the server specified in the referral, and so on until a non-referral response is received.  That response is then returned to the client (and cached on the server), completing the recursive query process.

...Right?
0
 

Author Comment

by:pendal1
ID: 21764425
OK, I think I have it based on what you gentlemen had to say and the link provided by DRDave242.   Let me see if I have this.  The client (before anything else I think the resolver on the client checks the local dns cache for the answer) and if none is found the client sends a recursive query to its preferred dns server. (and the recursive query meaning the dns server has to carry through with this query to the end or else return an error message.)  The resolver on the dns server will check the zone database and the local cache on the server before making an iterative query to one of the root name servers.  This iterative process will continue until an answer is found (or no answer is found) and this answer will be returned to the client.  
Followup question:  I know disabling recursion on the dns server means the server can't use forwarders or send recursive queries to other dns servers.  Does this also prohibit clients from sending recursive queries to dns servers.  Right now recursion is enabled on our dns servers which if I'm right means they are open to queries from anyone inside or outside of the company which according to what I read is a security risk.  However, others have told me you don't want to disable recursion in an AD enviornment.  What do you guys recommend on this subject?
Do clients by default use recursive lookups to dns servers and dns servers use iterative queries to other dns servers.  Is that the default and if not what is the default.  Thanks for your time and expertise guys.
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 21764774
Disabling recursion on the server won't prohibit clients from sending recursive queries, but the server won't recurse in order to attempt to find a response; it'll treat the query as iterative and send a referral response if it isn't authoritative and has nothing cached.  Having recursion enabled isn't a security risk in itself, and it doesn't mean that anyone outside of your network can query your server; it just means that your server will query other servers rather than sending a referral to the client (i. e., with recursion enabled, the server does most of the dirty work, while with it disabled, that's left to the client).

The best way to keep your servers from responding to queries from outside of your network is to not allow DNS queries from outside to get to your network in the first place.  Ideally, your internal and external DNS namespaces should be separate, and you should be using separate servers for them.  Your internal servers may occasionally need to query the external servers (e. g., when someone inside your network needs to access your public website), but never the other way around.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:pendal1
ID: 21765762
Dave, thanks for the response.  I know dnstuff indicated that our dns servers were open DNS servers and I thought than when recursion was enabled the servers were availabe to queries from outside of our internal network.  You're saying recursion means basically the DNS server will take ownership of the query until it gets a postive or negative result for the query.  Additionally, our public and internal namespaces our seperate but they are on the same servers.  
And Chris or dave, take a look at my previous post and please confirm I seem to understand this process.  Additionally,  would you guys recommend blocking external queries on the firewall?
On a side note for Chris (and Dave if you're interested), I still haven't had the time to  disable dhcp proxy registration and allow only secure upates on our dns servers.   There's actually a guy at work who thinks this won't accomplish anything.  I told him it will accomplish keeping non-domain members out of our namespace.  Furthermore, as we discussed Chris, I want to turn on scavenging on the master dns server and aging on all the zones.  I was just surprised that he didn't see the value in doing this.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
ID: 21767164

> ...Right?

Yep, absolutely :)

In that case this will be my last bit of digging on the Iterative / Recursive thing :)

The only bit that's missing is where the terminology is generally applied.

Both Iterative and Recursive queries are normally referred to as client actions (well, in most cases and examples). The Iterative query has the client do all the work (based on a servers best response), the Recursive has the DNS server do it. We do bump into the difficulty mentioned above with using Stub Resolvers, meaning we can't see the Iterative Query in action from the client.

We can make Dig (nslookup type tool from the Unix world) perform an Iterative Query using the +trace option, an extremely useful feature for tracing down odd parent delegations.

> I know dnstuff indicated that our dns servers were open DNS servers and I
> thought than when recursion was enabled the servers were availabe to queries
> from outside of our internal network.

If DNSStuff found them it means your DNS Servers are public, and support Recursive Queries. With that set anyone can use your DNS server to resolve addresses which may place unnecessary and unwanted load on your DNS server.

> Additionally,  would you guys recommend blocking external queries on the firewall?

Inbound? Not a good idea if your DNS server is handling responses to public requests. But Inbound requests aren't necessary if the DNS server only hosts Private zones and performs recursion for internal clients.

> I want to turn on scavenging on the master dns server and aging on all the zones.

That is a good idea though, I always support that one :)

Equally I believe that Secure Only updates are a good idea, I don't like clients polluting my zones with rubbish. Generally that's not such a big issue on private DNS servers.

Chris
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 21770899
I agree with everything in Chris-Dent's previous post, which makes this post a bit redundant, but I would like to elaborate a little on one thing he mentioned:  Don't block external requests if your servers are supposed to be answering queries to your public namespace, as that'll prevent anyone outside your network from locating your public machines by hostname.  He does make a good point, though: there's nothing preventing someone from issuing recursive queries to your servers from the outside, and this could conceivably be used in a DDoS-style attack if someone were motivated to do so.  If this were carried out, since the same servers are being used for your public and private DNS, your internal network performance would be degraded, as those servers would be unavailable to quickly respond to internal queries.  Add to this the fact that in an AD environment, the internal DNS servers are typically domain controllers, and you could end up with a sluggish mess on your hands.  I'm not trying to make you paranoid, as the likelihood of this happening is slim...but nonzero.
0
 

Author Comment

by:pendal1
ID: 21775202
Thanks guys.  Sorry for the delay in my posting.  I promise to close this quetion tomorrow.  I was gone the whole day.  So it seems that if the resolvers on most clients are stub resolvers - then I'm assuming most (unless recursion is not allowed, etc) queries from the clients are recursive.  Let me know if I'm wrong there.  
I can see our public namespace (with the mx record, etc) being available to external queries but that's handled by our provider.  However, our private namespace should not be open so do you guys recommend blocking inbound queries to our private namespace via the firewall.  Let me know your recommendations here.
Otherwise I think that's it unless you have any thing you want to add :)  Thanks again.  You guys and this site are a great resource for those of us learning the ropes.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21776887

> then I'm assuming most (unless recursion is not allowed, etc) queries from
> the clients are recursive

That would be a fair assumption. You'd have to go a bit out of your way to force the query to be iterative.

> However, our private namespace should not be open so do you guys
> recommend blocking inbound queries to our private namespace via the firewall.

Reading that gives me a perspective shift ;)

I prefer to think of it as "do not allow" rather than blocking. The difference being only that I would have a default rule that blocks, and I just wouldn't go out of my way to grant inbound access to a service like DNS.

Mine is such a subjective statement though, and ultimately I agree with your goal :)

Chris
0
 

Author Closing Comment

by:pendal1
ID: 31465998
Thanks Chris and Dave.  Your time and expertise are greatly appreciated.  Hope you'll afford me the opportunity to benefit from your input in the future.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Suggested Solutions

Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now