Recursive DNS
Recursive resolver configuration. How resolution works, root hints, security hardening, and rate limiting.
What Recursive Resolution Means
A recursive resolver does the full work of walking the DNS tree on behalf of the client. The client sends one query; the resolver contacts root servers, TLD servers, and authoritative servers as needed, then returns the final answer. The client never sees the intermediate steps.
Contrast with iterative resolution: the server returns referrals ("ask this other server") and the client does the walking. In practice, clients always request recursion; servers do iterative resolution internally.
Configuring Recursive Resolution in BIND
acl "trusted" { 10.50.0.0/16; 172.16.0.0/12; 127.0.0.0/8; };
options {
recursion yes;
allow-recursion { trusted; };
allow-query-cache { trusted; };
};An open recursive resolver is a DDoS amplification vector. Attackers send spoofed queries with the victim’s source IP; the resolver sends amplified responses to the victim. Always restrict recursion to trusted networks.
options {
recursion no;
};Use this for servers that only answer queries for their own zones. Returns REFUSED for any query outside their authority.
Testing Recursion
dig @10.50.1.90 google.com A | grep "flags"The ra (Recursion Available) flag means the server will perform recursive resolution for you. If ra is absent, the server either has recursion disabled or you’re outside the allow-recursion ACL.
dig example.com +recurseThe rd (Recursion Desired) flag is set by default in dig. The server only honors it if recursion is enabled for the querier.
dig @10.50.1.90 example.com +norecurseForces the server to answer only from its own data or cache. No walking the tree. Useful for testing what a server knows directly.
How Recursive Resolution Works
dig example.com +traceShows every step:
-
Query root (
.) forcom.— returns referral to.comTLD servers -
Query
.comTLD forexample.com.— returns referral to authoritative NS -
Query authoritative NS for
example.com.— returns the answer
Each step is an iterative query performed by the recursive resolver on your behalf.
# Flush cache first
sudo rndc flush
# First query — full recursive resolution
dig example.com +stats +noall | awk '/Query time/'
# Second query — served from cache
dig example.com +stats +noall | awk '/Query time/'The first query takes tens or hundreds of milliseconds (full tree walk). The second takes <1ms (cache hit). This demonstrates why caching matters.
Root Hints
cat /var/named/named.caContains the IP addresses of the 13 root server clusters (a.root-servers.net through m.root-servers.net). Without this file, a recursive resolver cannot start the resolution chain.
dig NS . @a.root-servers.net > /var/named/named.caRoot hints should be updated annually or when IANA announces changes. Stale hints still work (root IPs are very stable) but best practice is to keep them current.
Recursion Security
options {
rate-limit {
responses-per-second 10;
window 5;
};
};Response Rate Limiting (RRL) throttles identical responses. Mitigates amplification attacks even if recursion is properly ACL’d.
# Recursive resolver (internal-facing)
view "recursive" {
match-clients { trusted; };
recursion yes;
};
# Authoritative (public-facing)
view "authoritative" {
match-clients { any; };
recursion no;
zone "inside.domusdigitalis.dev" { type master; file "inside.domusdigitalis.dev.zone"; };
};A single BIND instance can serve both roles via views, but production best practice is separate servers. If the recursive resolver is compromised, it doesn’t expose your zone data.
See Also
-
Caching — cache inspection and flushing
-
Authoritative — the other side of the coin
-
Forwarders — forwarding vs recursion