July 18th, 2016

Recursive DNS: What It Is And Why You Should Care

When it comes to e-commerce, banking or other online services, DNS is one of the most important technical aspects needed for a successful web operation. Without DNS, consumers will not be able to access websites or services that are available online.

For those not familiar with DNS, it is the technical process of translating a domain name (i.e. neustar.biz) to an IP address (i.e. This, of course, is the simplistic explanation; there is a lot more that happens behind the scenes to run the translation process.

From a business perspective, the focus will be on Authoritative DNS. Authoritative DNS allows companies to setup their web presence with a domain name of their choosing (i.e., neustar.biz).  The domain name will be mapped to an IP address on the Internet (may be the company’s or a third party). Having a good domain setup is great for marketing and allow consumers to access a website easily. 

But there is one important factor that is sometimes neglected when it comes to discussing DNS.  That factor is recursive DNS.  Recursive DNS is the piece that allows users to find the domain names that companies setup.  Consumers may not realize it, but every time they go on their computers or phones to read the news, access their bank accounts or even read this blog, they are using recursive DNS services.

The purpose of the blog post today is to discuss what recursive DNS is and how it plays a factor into DDoS attacks.

Recursive DNS is the middle-man between the consumer and the Authoritative DNS servers that are hosting a company’s domains and the IP addresses that are associated with a domain name. Recursive DNS does two major tasks:

When a user types in a URL in their web browser, the URL is sent to the recursive DNS server first. The first task the recursive DNS server does is check its cache memory to see if the IP address for the requested URL is already stored. If the IP address information is already in memory, then the recursive DNS server will immediately provide the IP address back to the browser and the user will be taken to the website.

If the recursive DNS server does not have the IP address in memory, it will go through the process of fetching the IP address (called “walking the DNS tree”) and return it to the user. The recursive DNS server will then store the IP address in memory for a certain amount of time - the amount of time that the IP address is stored in memory is defined by the owner of the domain using a setting called “Time To Live” (TTL).

As you can see, Recursive DNS is very important when it comes to users accessing websites and other ecommerce services online. 

While recursive DNS is important to users surfing the Internet, malicious attackers have exploited a couple of aspects of how DNS works to launch DDoS attacks. These DDoS attacks are known as DNS Amplification attacks. Here is a quick rundown of the exploits and how Neustar’s Recursive DNS service addresses these issues: 

The first aspect of DNS that malicious attackers exploited was the concept of open recursive DNS servers. An open recursive server is one that has no security controls or IP access lists enabled. That enables anyone on the Internet to use the recursive DNS server including malicious attackers.   

Unfortunately, many of the administrators are unaware they have open recursive DNS servers. Thus, malicious attackers have free rein to leverage the many open recursive DNS servers that exist on the Internet. This issue caused the ISC to publish notes on best practices on running recursive DNS servers, including implementing IP access lists and security controls to restrict access to known parties: 


Additionally, if you run a recursive DNS server and want to check if your system is considered an open recursive DNS server, please go to the following URL to check:


The second DNS exploit that attackers manipulated were DNS response packets (especially when querying ANY or DNSSEC record types) that are larger than the initial query packet.  Various studies have estimated a 25x to 40x amplification factor when comparing the original DNS query packet size to the DNS response packet that is received.

Malicious attackers send multiple queries to an open recursive DNS server for a specific host or domain name. However, instead of using their own source IP address, the malicious attacker spoofs the source IP address and puts in an IP address of their intended victim. Because the response packets for DNS can be amplified by a large factor, the malicious attacker has effectively created a large DDoS attack using recursive DNS. 

While recursive DNS servers may generally be used to launch DDoS attacks, they may also be vulnerable to a direct DDoS attack as well. And although the majority of the news focuses on DDoS attacks against websites and authoritative DNS servers, an attack against a recursive server could theoretically cripple user’s ability to access any Internet facing websites or services. 

The reason recursive DNS servers may be vulnerable to attack is that many servers (especially those deployed by Internet Service Providers) are deployed in a unicast fashion. This means servers are deployed in a stand-alone manner with little to no consideration for failover or redundancy. So an attack could stop anyone using that particular recursive DNS server from getting to their desired website or service on the Internet. Savvy and technical Internet users will know they have other options for recursive DNS services, but the regular, non-technical customer may not and that could prove frustrating – for both the user and the potential business that just missed out on a sale.

Neustar offers Ultra Recursive, which is a Recursive DNS service that is built off of the same 30 node locations as UltraDNS - Neustar’s Authoritative DNS platform. Just like UltraDNS, Ultra Recursive leverages BGP and Anycast to route queries in the most efficient manner and guarantees that customer can get to their favorite online website or services in a timely fashion.

Ultra Recursive also has built in DDoS protection to prevent attackers from taking the service down.  Additionally, Neustar constantly monitors the usage of the Ultra Recursive network to ensure that no malicious attackers are levering the network for nefarious purposes. And Ultra Recursive offers security capabilities such as category blocking (Malware, Gambling, etc..) and allows administrators to set white lists or black lists. 

If you are interested in hearing more about how Ultra Recursive can help your business, please contact us!  

Let's Connect

Learn How Your Company Can Benefit from the Power of Trusted Connections.

Contact Us   Give us a call 1-855-898-0036