Skip to main content

What's a recursive DNS query?

There are two types of DNS queries:
  • Recursive query
  • Iterative query

In a recursive query, the DNS resolver will respond with the final result, best answer it has or an error message. How it responds depends on what kind of DNS server it is. A recursive resolver will respond with the final IP address (or set of IPs). A non-recursive DNS server (Root or GTLD) will respond with the best answer it has.

In an iterative query, the DNS resolver is required to provide the best answer it has. Assuming the queried record is not in the server’s cache, the DNS client will receive the referral to the next DNS server in the resolution path.

Recursive and interative DNS queries diagram
That’s the theory. Let's look at practical examples.

Recursive query

DNS resolvers that are used by the DNS clients are referred to as “recursive resolvers”. Their purpose is to handle the queries, return the final resolution result and cache the response. 

When a DNS client queries a recursive DNS resolver it receives the IP address (or an error). Recursive query is default for dig, we don't need any flags to simulate it. 

dig www.securesenses.net @8.8.8.8                  
; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63739
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.securesenses.net.        IN    A
;; ANSWER SECTION:
www.securesenses.net.    1800    IN    CNAME    ghs.google.com.
ghs.google.com.        300    IN    A    142.250.75.19

Recursive DNS query

The response shows that the DNS resolver is recursive ("Recursion available" bit is set). The response contains the intermediary CNAME and the final A record.

Recursive DNS query

Iterative query

We can use dig with +norecurse flag to issue an iterative query. An iterative query will have the "Recursion desired" bit disabled as shown below:

Iterative DNS query

Most public DNS resolvers will reject iterative queries.  In the examples below we query two different DNS resolvers and receive two different error messages. First resolver returns "Refused" error, the second one responds with "Server failure" error. For a detailed explanation of the errors response see DNS response and error types.

dig www.securesenses.net @88.156.64.21  +norecurse
; <<>> DiG 9.10.6 <<>> www.securesenses.net @88.156.64.21 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED
, id: 22875
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

DNS error query refused

dig www.securesenses.net @8.8.8.8  +norecurse    
; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33028
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

 
As shown above DNS resolvers (aka recursive resolvers) don't support iterative queries. They are used between the Resolvers, the Root servers and the TLD servers. Let's query them.

Root server (l.root-servers.net.)

The root server returns the referral to the GTLD servers authoritative for the NET zone.

dig www.securesenses.net @199.7.83.42 +norecurse
; <<>> DiG 9.10.6 <<>> www.securesenses.net @199.7.83.42 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26582
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.securesenses.net.        IN    A
;; AUTHORITY SECTION:
net.            172800    IN    NS    a.gtld-servers.net.
net.            172800    IN    NS    b.gtld-servers.net.
net.            172800    IN    NS    c.gtld-servers.net.
net.            172800    IN    NS    d.gtld-servers.net.
net.            172800    IN    NS    e.gtld-servers.net.
net.            172800    IN    NS    f.gtld-servers.net.
net.            172800    IN    NS    g.gtld-servers.net.
net.            172800    IN    NS    h.gtld-servers.net.
net.            172800    IN    NS    i.gtld-servers.net.
net.            172800    IN    NS    j.gtld-servers.net.
net.            172800    IN    NS    k.gtld-servers.net.
net.            172800    IN    NS    l.gtld-servers.net.
net.            172800    IN    NS    m.gtld-servers.net.


Recuresive DNS query recursion not available

GTLD server (l.gtld-servers.net.) 

The GTLD server returns referral to the Authoritative Servers (also referred to as NS servers). Those servers are authoritative for the securesenses.net. zone.
dig www.securesenses.net @192.41.162.30 +norecurse
; <<>> DiG 9.10.6 <<>> www.securesenses.net @192.41.162.30 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4978
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.securesenses.net.        IN    A
;; AUTHORITY SECTION:
securesenses.net.    172800    IN    NS    ns-cloud-e1.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e2.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e3.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e4.googledomains.com.
 
Recuresive DNS query recursion not available

Recursive query against a non-recursive server

When we query a non-recursive server (for example Root or GTLD), the server responds with the best answer it has. In the example below the Root server refers the DNS client to the GTLD server - which is the same behaviour as when we issued an iterative query.

dig www.securesenses.net @199.7.83.42             
; <<>> DiG 9.10.6 <<>> www.securesenses.net @199.7.83.42
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31938
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.securesenses.net.        IN    A
;; AUTHORITY SECTION:
net.            172800    IN    NS    a.gtld-servers.net.
net.            172800    IN    NS    b.gtld-servers.net.
net.            172800    IN    NS    c.gtld-servers.net.
net.            172800    IN    NS    d.gtld-servers.net.
net.            172800    IN    NS    e.gtld-servers.net.
net.            172800    IN    NS    f.gtld-servers.net.
net.            172800    IN    NS    g.gtld-servers.net.
net.            172800    IN    NS    h.gtld-servers.net.
net.            172800    IN    NS    i.gtld-servers.net.
net.            172800    IN    NS    j.gtld-servers.net.
net.            172800    IN    NS    k.gtld-servers.net.
net.            172800    IN    NS    l.gtld-servers.net.
net.            172800    IN    NS    m.gtld-servers.net.

Recuresive DNS query

See the full resultion path using dig +trace

dig www.securesenses.net @8.8.8.8 +trace

Step 1 - list of root servers

 <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8 +trace
;; global options: +cmd
.            23937    IN    NS    m.root-servers.net.
.            23937    IN    NS    b.root-servers.net.

Step 2 - list of GTLD servers authoritative for NET. zone

net.            172800    IN    NS    i.gtld-servers.net.
net.            172800    IN    NS    e.gtld-servers.net.

Step 3 - list of NS (authoritative servers) for securesenses.net. 

securesenses.net.    172800    IN    NS    ns-cloud-e1.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e2.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e3.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e4.googledomains.com.

Step 4 - final result - in the last step we get the CNAME, dig +trace does not resolve it to the final IP

www.securesenses.net.    1800    IN    CNAME    ghs.google.com.

This is what it looks like in Wireshark

DNS resultion path dig trace


Comments

Popular posts from this blog

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

Count number of lines - 'findstr'

How do I count number of lines in a command output? findstr /r/n "^" | find /c ":" Above commands will display number of lines output by whatever command (well, nearly whatever) you specify in the front.  For example:  C:\>ping localhost | findstr /r/n "^" | find /c ":" FINDSTR: // ignored 12 This comes handy if you want to find out how many OUs you have in Active Directory: dsquery ou  -limit 0 | findstr /r/n "^" | find /c ":" How many user accounts there are: dsquery user -limit 0 | findstr /r/n "^" | find /c ":" Computers: dsquery computer -limit | findstr /r/n "^" | find /c ":"

Cisco ASA Certificate Revocation Checking

ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP. Revocation checking using CRL: Over HTTP: ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-crl)# protocol http By default ASA will use address listed in CDP extension of the certificate that is being validated.  To override default behaviour we need to add the following in the CRL configuration context. ciscoasa(config-ca-crl)# policy static ciscoasa(config-ca-crl)# url 1 http://cdpurl.kp.local/crl.crl Over LDAP: Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static"  to specify LDAP URL where CRL can be retrieved.  ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-trustpoint)# crl configure ciscoasa