Recursive DNS queries occur when a nameserver performs the complete DNS resolution process on behalf of a client. This differs from iterative queries where the server only responds with whatever information it has available. While recursive resolution is essential for caching resolvers, it should be disabled on authoritative nameservers for security reasons.
Open recursive DNS servers can be abused for DNS amplification attacks, where attackers spoof source IPs to direct large DNS responses to victims. According to DNS best practices, authoritative nameservers should never provide recursive resolution.
The dig command provides a straightforward way to test recursion:
dig @nameserver_ip example.com +norecurse
dig @nameserver_ip example.com +recurse
Compare the responses between these two queries. A properly configured authoritative nameserver should:
- Return identical responses for both queries
- Not actually perform recursion when +recurse is specified
- Include the "ra" (recursion available) flag only when appropriate
Let's test Google's public DNS (which should allow recursion):
$ dig @8.8.8.8 example.com +norecurse
; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 example.com +norecurse
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
Now test an authoritative nameserver that shouldn't allow recursion:
$ dig @a.iana-servers.net example.com +recurse
; <<>> DiG 9.16.1-Ubuntu <<>> @a.iana-servers.net example.com +recurse
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
For batch testing multiple servers, you can use this bash script:
#!/bin/bash
servers=("8.8.8.8" "1.1.1.1" "your.nameserver.ip")
domain="example.com"
for server in "${servers[@]}"; do
echo "Testing $server"
dig @$server $domain +recurse | grep -E 'flags|ANSWER'
echo "------------------"
done
Key indicators in the dig output:
- ra flag: Recursion Available (should be absent on authoritative servers)
- Answer section: Non-authoritative answers suggest recursion occurred
- Query time: Recursive queries typically take longer
For comprehensive testing, consider these additional methods:
# Check for DNS amplification potential
dig @target.server ANY isc.org +subnet=0.0.0.0/0
# Test cache snooping
dig @target.server +norecurse A nonexistentsubdomain.example.com
Remember that some DNS servers may implement rate limiting or other protective measures that could affect your test results.
While dig is most common, other utilities can perform similar checks:
# Using host command
host -v -t a example.com nameserver.ip
# Using nslookup
nslookup -debug -type=any example.com nameserver.ip
Recursive DNS queries occur when a nameserver is asked to resolve a domain name it doesn't have in its cache. Instead of returning a referral, the server will query other nameservers on behalf of the client until it finds the answer or returns an error.
Open recursive resolvers can be abused for DNS amplification attacks. As a security best practice, authoritative nameservers should only answer queries for domains they're authoritative for and should not provide recursive resolution.
The dig command is the perfect tool for testing recursive resolution. Here's the basic syntax:
dig @nameserver domain +norec
Then test the same query with recursion:
dig @nameserver domain +rec
Let's test if Google's public DNS (8.8.8.8) allows recursion (which it should, as it's a public resolver):
dig @8.8.8.8 example.com +norec ; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 example.com +norec ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 dig @8.8.8.8 example.com +rec ; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 example.com +rec ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
The key difference is in the flags section of the response:
qr: Query response (present in both)rd: Recursion desired (set by client)ra: Recursion available (set by server if it supports recursion)
If you see ra in the flags when using +rec, the server supports recursive queries.
Here's a simple bash script to test multiple nameservers:
#!/bin/bash
servers=("8.8.8.8" "1.1.1.1" "9.9.9.9" "your.nameserver.ip")
domain="example.com"
for server in "${servers[@]}"; do
echo "Testing $server..."
if dig @$server $domain +rec +short | grep -q '[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+'; then
echo "$server allows recursive queries"
else
echo "$server does NOT allow recursive queries"
fi
done
If you manage your own nameservers, ensure they're properly configured:
- For authoritative servers: Disable recursion completely
- For recursive resolvers: Implement ACLs to restrict access
- Consider rate limiting to prevent abuse