Security check - recursion
The Security check - recursion attempts recursive queries on all public DNS servers that servers the specific domain.
Authoritative DNS servers faces different security threats than recursive resolvers and should for security reasons not reside on the same server unless necessity dictates it. An authoritative DNS that serve a fixed set of zones should be configured to only respond to queries for these zones. It is generally considered a poor security design if a publicly available authoritative DNS server also serve as a recursive resolver.
Some DNS software have both these abilities which are generally active left with a default configuration. These servers must be configured to prevent the recursive software to respond to recursive queries.
Later DNS server developments use separate software for authoritative and recursive servers.
The check will report an event if a server allows recursive queries.
Event severities and messages
ERROR
Corrupt or malformed response from nameserver.
The check received a malformed response from the name server or the response data was corrupted or otherwise unreadable. This might be a matter of interpretation. This could very well be an intentional response configured to mess with the client, but the check can't be sure of that. In this case we at DNSmonitor opt to consider this response a fail. If you know that your server intentionally respond this way and you thing the ERROR response is wrong you can easily disable this check. Otherwise you need to revise the configuration of the particular name server.
Recursion request was allowed.
The check received answer data in the recursive query response. The authoritative server is most likely an open resolver.
This is strongly discouraged since many known vulnerabilities are found in the resolver function on the DNS server. This could make the authoritative server vulnerable to a wide range of attacks including DOS- and cache poisoning attacks.
Be advised to reconfigure your DNS server to refuse responding to recursive queries. If you really need an open resolver it is advisable to set up a separate recursive resolver on a different server.
UNKNOWN
Recursion query timed out. Test result is inconclusive.
The query to the server timed out for unknown reasons. This could indicate one out of four things
- The DNS service is unreachable over UDP on port 53.
- The network is down.
- A firewall or IPS is blocking the recursion request, or
- The DNS is configured to drop incoming recursion requests.
Unexpected response from server with a return code.
The check failed with an unexpected return code. This is a very unusual message and should be looked at separately. Please report this through the normal support channel.
Unable to perform check due to input data failure.
When this message appear usually one of the queries leading up to the final query have received an empty or garbled query response. Please report this through the normal support channel.
Solutions, tips & tricks
The configuration statement recursion boolean; controls the behaviour of the resolver.
The following statement disable recursion altogether.
options {
recursion no;
}
By omitting the recursion statement the BIND server will default to respond to recursive queries.
The NSD server is an authoritative only name server.
The Knot DNS server is an authoritative only name server.