Why recursive or iterative DNS?
Faults of recursive DNS
Recursive DNS servers are more vulnerable to DOS
- DNS resolution is typically UDP.
- You can do fire and forget, similar to
- Just attach the IP of your target for DDos’ing.
- DNS resolution response can be really large:
- 64 byte query -> 3223 byte response
- ~50x amp.
- So now your botnet is 50x more powerful and can cripple many more websites.
DNS cache poisoning
- Trick DNS into believing a fake DNS query repsonse is authentic.
- Since responses are cached, users will use the fake info.
Other threats: https://www.globaldots.com/resources/blog/recursive-dns-security-gaps-and-how-to-address-them/
performance degradation If DNS servers are not configured correctly, queries using RFC1918 addressing (private addressing) may be leaked to RNS, causing degradation in service for legitimate queries to those serers.