A closer look at recursive DNS
When most people think of DNS servers, they naturally focus on the authoritative side. This is because every domain on the internet needs to have an authoritative DNS server responsible for storing (and responding with) the authoritative IP address of that domain name. However, the majority of DNS query responses are, in fact, generated from the cache of recursive servers, which are responsible for obtaining the IP address of the site or computer you are trying to reach.
The idea of a recursive server being a potential area of weakness first came to light in 1997, when the owner of a Washington State-based domain name registrar was arrested after violating federal computer fraud statutes by exploiting a loophole in a competitor's recursive server and redirecting the traffic to his own site. Many of the security compromises and breaches that have occurred ever since have been related to vulnerabilities in the recursive or caching DNS server code.
In many situations, recursive servers are running on outdated software without the security and attention afforded to the authoritative server. This is an oversight, considering that everyone – whether they know it or not – relies on recursive servers to get the answer to their DNS queries.
The need for a reliable and secure recursive DNS service
For all intents and purposes, if your recursive service goes down, your internet connection will, too. Your recursive service not only needs to have a reliable connection to you but also to the internet.
Given the importance of DNS – and recursive DNS in particular – the cyber-criminals of today have started to refocus efforts on this central part of the internet infrastructure, leaving many companies vulnerable to attack.
By exploiting susceptible recursive or authoritative DNS servers, criminals can, for example, lure unsuspecting visitors to a fraudulent site instead of their intended destination. In industry terms, this practice is commonly referred to as “DNS Cache Poisoning.”
Let's look at a possible scenario related to online banking. A user whose DNS cache has been “poisoned” may correctly type the website address of his or her bank into a browser, but is then unknowingly redirected to a fraudulent “mirror” site designed to collect their sensitive personal and financial data. Any information the visitor sends or receives is intercepted by the attacker.
(Typically, the only way for web users to tell that they are not at a correct site is to view the detailed information about the security certificate issued when in secure mode, if there is one available.)
To get the most out of your recursive server, you should look for one that is:
- Safe. It should maintain a real-time list of harmful Internet sites, warn end users when they are being redirected to these sites, and route users to alternate landing pages. Further, it should protect end users from phishing, malware installations, and other well-known online dangers.
- Smart. The recursive DNS server should automatically correct “typos” when end users input incorrect domain names – and should redirect these users to landing pages.
- Fast. It should provide immediate responses to DNS requests by utilizing advanced technology that automatically routes end users to the next closest node in the event of maintenance or downtime. In addition, customers should be able to permit granular control of their DNS, thus rendering the traditional time-to-live (TTL) DNS record management process obsolete through “record-level cache invalidation.” Finally, the recursive server should have large caches of authoritative information so no web user needs to wait for the recursive server to get answers.
- Reliable. The recursive DNS server should provide guaranteed availability with multiple locations (nodes) around the world. Each of these nodes should have multiple servers and be connected to the internet by several top-tier carriers.
Recursive and authoritative servers working together
DNS is a “two-phase” transaction. First, the client asks the recursive server for the answer to a DNS query. If the recursive server doesn't have the answer cached, it asks the question of the authoritative server. The bulk of DNS instability issues and performance problems lie in this middle ground between the recursive and authoritative servers. That's because this communication happens over the public Internet.
When both the recursive and authoritative servers sit on the same network segment, queries that used to take 100 to 200 milliseconds (and more) across the public internet are now answered in less than one millisecond. This is a huge performance improvement for Internet users – and, more importantly, it makes a comprehensive recursive DNS service that much more attractive.
An easy solution
As networks become increasingly susceptible to network threats and attacks, DNS infrastructure protection that addresses both recursive and authoritative needs is imperative in ensuring optimal security. While the costs of a recursive DNS setup have historically been prohibitive (hardware, man-hours dedicated to deployment and maintenance, network connectivity and commitments, etc.), free and outsourced DNS services have recently been brought to market. Today, enterprises no longer need to devote capital to providing recursive DNS services to end users.
See original article on scmagazineus.com