What's a recursive DNS query?

There are two types of DNS queries:

• Recursive query
• Iterative query
  

In a recursive query, the DNS resolver will respond with the final result, best answer it has or an error message. How it responds depends on what kind of DNS server it is. A recursive resolver will respond with the final IP address (or set of IPs). A non-recursive DNS server (Root or GTLD) will respond with the best answer it has.

In an iterative query, the DNS resolver is required to provide the best answer it has. Assuming the queried record is not in the server’s cache, the DNS client will receive the referral to the next DNS server in the resolution path.

That’s the theory. Let's look at practical examples.

Recursive query

DNS resolvers that are used by the DNS clients are referred to as “recursive resolvers”. Their purpose is to handle the queries, return the final resolution result and cache the response. 

When a DNS client queries a recursive DNS resolver it receives the IP address (or an error). Recursive query is default for dig, we don't need any flags to simulate it. 

dig www.securesenses.net @8.8.8.8                  
; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63739
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.securesenses.net.        IN    A
;; ANSWER SECTION:
www.securesenses.net.    1800    IN    CNAME    ghs.google.com.
ghs.google.com.        300    IN    A    142.250.75.19

The response shows that the DNS resolver is recursive ("Recursion available" bit is set). The response contains the intermediary CNAME and the final A record.

Iterative query

We can use dig with +norecurse flag to issue an iterative query. An iterative query will have the "Recursion desired" bit disabled as shown below:

Most public DNS resolvers will reject iterative queries.  In the examples below we query two different DNS resolvers and receive two different error messages. First resolver returns "Refused" error, the second one responds with "Server failure" error. For a detailed explanation of the errors response see DNS response and error types.

dig www.securesenses.net @88.156.64.21  +norecurse
; <<>> DiG 9.10.6 <<>> www.securesenses.net @88.156.64.21 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22875
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

dig www.securesenses.net @8.8.8.8  +norecurse    
; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33028
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

 

 

As shown above DNS resolvers (aka recursive resolvers) don't support iterative queries. They are used between the Resolvers, the Root servers and the TLD servers. Let's query them.

Root server (l.root-servers.net.)

The root server returns the referral to the GTLD servers authoritative for the NET zone.

dig www.securesenses.net @199.7.83.42 +norecurse
; <<>> DiG 9.10.6 <<>> www.securesenses.net @199.7.83.42 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26582
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.securesenses.net.        IN    A
;; AUTHORITY SECTION:
net.            172800    IN    NS    a.gtld-servers.net.
net.            172800    IN    NS    b.gtld-servers.net.
net.            172800    IN    NS    c.gtld-servers.net.
net.            172800    IN    NS    d.gtld-servers.net.
net.            172800    IN    NS    e.gtld-servers.net.
net.            172800    IN    NS    f.gtld-servers.net.
net.            172800    IN    NS    g.gtld-servers.net.
net.            172800    IN    NS    h.gtld-servers.net.
net.            172800    IN    NS    i.gtld-servers.net.
net.            172800    IN    NS    j.gtld-servers.net.
net.            172800    IN    NS    k.gtld-servers.net.
net.            172800    IN    NS    l.gtld-servers.net.
net.            172800    IN    NS    m.gtld-servers.net.

GTLD server (l.gtld-servers.net.) 

The GTLD server returns referral to the Authoritative Servers (also referred to as NS servers). Those servers are authoritative for the securesenses.net. zone.

dig www.securesenses.net @192.41.162.30 +norecurse
; <<>> DiG 9.10.6 <<>> www.securesenses.net @192.41.162.30 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4978
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.securesenses.net.        IN    A
;; AUTHORITY SECTION:
securesenses.net.    172800    IN    NS    ns-cloud-e1.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e2.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e3.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e4.googledomains.com.

 

Recursive query against a non-recursive server

When we query a non-recursive server (for example Root or GTLD), the server responds with the best answer it has. In the example below the Root server refers the DNS client to the GTLD server - which is the same behaviour as when we issued an iterative query.

dig www.securesenses.net @199.7.83.42             

; <<>> DiG 9.10.6 <<>> www.securesenses.net @199.7.83.42

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31938

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.securesenses.net.        IN    A

;; AUTHORITY SECTION:

net.            172800    IN    NS    a.gtld-servers.net.

net.            172800    IN    NS    b.gtld-servers.net.

net.            172800    IN    NS    c.gtld-servers.net.

net.            172800    IN    NS    d.gtld-servers.net.

net.            172800    IN    NS    e.gtld-servers.net.

net.            172800    IN    NS    f.gtld-servers.net.

net.            172800    IN    NS    g.gtld-servers.net.

net.            172800    IN    NS    h.gtld-servers.net.

net.            172800    IN    NS    i.gtld-servers.net.

net.            172800    IN    NS    j.gtld-servers.net.

net.            172800    IN    NS    k.gtld-servers.net.

net.            172800    IN    NS    l.gtld-servers.net.

net.            172800    IN    NS    m.gtld-servers.net.

See the full resultion path using dig +trace

dig www.securesenses.net @8.8.8.8 +trace

Step 1 - list of root servers

 <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8 +trace
;; global options: +cmd
.            23937    IN    NS    m.root-servers.net.
.            23937    IN    NS    b.root-servers.net.

Step 2 - list of GTLD servers authoritative for NET. zone

net.            172800    IN    NS    i.gtld-servers.net.
net.            172800    IN    NS    e.gtld-servers.net.

Step 3 - list of NS (authoritative servers) for securesenses.net. 

securesenses.net.    172800    IN    NS    ns-cloud-e1.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e2.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e3.googledomains.com.
securesenses.net.    172800    IN    NS    ns-cloud-e4.googledomains.com.

Step 4 - final result - in the last step we get the CNAME, dig +trace does not resolve it to the final IP

www.securesenses.net.    1800    IN    CNAME    ghs.google.com.

This is what it looks like in Wireshark