Why recursive or iterative DNS?

Faults of recursive DNS

  • Recursive DNS servers are more vulnerable to DOS

    • https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/
    • TLDR:
      • DNS resolution is typically UDP.
      • You can do fire and forget, similar to SMURF attacks
      • Just attach the IP of your target for DDos’ing.
      • DNS resolution response can be really large:
        • 64 byte query -> 3223 byte response
        • ~50x amp.
      • So now your botnet is 50x more powerful and can cripple many more websites.
  • DNS cache poisoning

    • Trick DNS into believing a fake DNS query repsonse is authentic.
    • Since responses are cached, users will use the fake info.
  • Other threats: https://www.globaldots.com/resources/blog/recursive-dns-security-gaps-and-how-to-address-them/

  • root name servers (RNS) performance degradation If DNS servers are not configured correctly, queries using RFC1918 addressing (private addressing) may be leaked to RNS, causing degradation in service for legitimate queries to those serers.