What Is Recursive DNS?

Recursive DNS is the initial step in finding an IP address for a specific website or web domain from the Domain Name System (DNS). When a user enters a web domain into a browser, a DNS request or DNS lookup is sent to a recursive DNS server, or DNS resolver, typically managed by the user’s internet service provider (ISP). The recursive DNS resolver will either respond with the IP information from data stored in its local cache or initiate a search, querying other nameservers and ultimately retrieving the information from an authoritative DNS server.

DNS is the address book for the internet, providing information about the computer addresses for domain names such as website domain names. When a user enters a human-readable web address like “example.com” into a browser, DNS is responsible for finding the corresponding IP address, a string of alphanumeric characters that can be read by machines. DNS enables users to find websites using names that are easy to remember rather than long strings of numbers.

Recursive DNS is the mechanism that facilitates this process by fetching the IP address associated with the domain, making internet navigation seamless.

Authoritative DNS servers keep the official records for domain names and their IP addresses.

To enable browsers to load web pages more quickly, the Domain Name System uses thousands of DNS servers around the world rather than a single massive database on one central server. Authoritative DNS servers keep the official information about web domains and IP addresses. But with millions of devices and IT systems creating trillions of DNS requests each day, there’s too much DNS traffic for authoritative DNS servers to handle alone. Thousands of recursive DNS servers around the world help to lighten the load and to speed up the DNS process by fielding the initial DNS requests and hunting down the right information.

Recursive DNS servers perform two essential functions.

Caching data. Recursive DNS servers store the responses to previous DNS requests in their cache memory, allowing them to quickly respond to DNS requests. This is especially helpful for DNS requests for sites that users repeatedly visit. Recursive DNS servers store this data for a certain period of time, called the time to live (TTL) which is defined by the domain owner and codified in the authoritative nameserver and its records.

Searching other DNS servers. If a recursive DNS server does not have the requested DNS information in its cache memory, it recurses through the domain name, asking other nameservers that may have stored the information in their cache memory or have information about the authoritative DNS server that holds the specific DNS record for a given domain. 

Ultimately, recursive DNS servers return an IP address to the user’s device, enabling the correct website or resource to be loaded into a browser or application.

When a user enters a domain name into a web browser, several critical steps must take place to find the correct IP address that enables a web page to load:

• The user’s computer produces a DNS query that is sent to a recursive DNS server.
• If the recursive server has the information in its cache, it responds with the IP address immediately.
• If there is no information about the IP address in cache memory, the recursive server forwards the DNS request to a root nameserver that directs the request to a top-level domain server, or TLD server, based on the root domain such as .com, .edu, or .co.uk. The TLD server then directs the DNS request to the correct authoritative DNS server holding the record for the specific web domain.
• Once the recursive DNS server locates the correct address, it returns information to the user’s device, which loads the web page into the browser.

When everything is working well, the entire DNS process takes a fraction of a second. DNS performance is important because loading a single web page, or reaching a single service, may require resolving hundreds of names.

The principal advantage of using recursive DNS servers is that they speed up the process of looking up DNS information. If DNS relied on authoritative nameservers alone, the system would be unable to handle the amount of traffic generated by DNS requests. With thousands of recursive DNS servers around the world caching information locally, the DNS system can efficiently respond to trillions of DNS requests each day.

Because the DNS system was not designed with security in mind, recursive DNS servers may be compromised in a wide range of cybersecurity attacks.

DNS servers may be targeted or used in a variety of ways. These include:

• Denial-of-service attacks. These campaigns cause DNS servers to slow down or crash by inundating them with an overwhelming amount of traffic and DNS requests.
• Amplification attacks. Amplification is a type of flood attack, where hackers use a network of malware-infected machines known as a botnet to flood DNS servers with a high volume of DNS queries. As a result, DNS servers may become overwhelmed and slow down or crash. In amplification attacks, hackers issued DNS requests in a way that asks for very long responses to go towards target machines, exacerbating the impact of the attack.
• Cache poisoning. In a DNS cache poisoning attack, attackers replace the legitimate DNS information within a resolver server’s cache with addresses for a malicious website. As a result, users seeking a legitimate website will instead get the IP address for an entirely different site, which may even look identical to the original site. Typically, hackers use this method to dupe users into revealing sensitive information like login credentials or account numbers.
• Tunneling. DNS tunneling attacks use DNS as a covert communication channel to exfiltrate sensitive data or take control of compromised devices within an IT network while evading detection by firewalls and network security devices.