Open recursive nameservers

This article explains some of the problems associated with open recursive nameservers and why they are not permitted on BitFolk's network.

Definition
Recursion is when your nameserver takes a query and then finds out the answer itself. A non-recursive server simply passes back a pointer to the authoritative nameserver that the client should query. An open recursive nameserver (ORNS) is misconfigured such that it provides recursion to a much wider audience than is strictly necessary, commonly to the entire Internet.

DDoS participation
DNS resolvers which offer recursion to the whole Internet are commonly used in DDoS attacks. An attacker creates a very large DNS record in a zone they control and sets it to have a very long TTL. They then send a query for this record to a list of ORNSs, with the source address spoofed to be that of the victim. Each of the ORNSs fetches the large record data and sends it to the supposed source of the query, flooding it with large answers to DNS queries it did not originate.

This is not a theoretical attack; VPS customers have in the past had their open recursive nameservers participate in DDoS attacks and have had to have filters applied to 53/UDP until they could disable recursion.

This danger to the rest of the Internet is the primary reason that ORNSs must be secured.

Cache poisoning
DNS cache poisoning refers to the malicious insertion of false data into a nameserver's cache. Many forms of cache poisoning attack are made easier when directed at an ORNS.

Resource hijacking
Nameservers known to offer recursion to anyone have also found themselves hardcoded into worms and other malware as a known-good source of DNS service. The subsequent rapid spread of the worm can lead to vastly increased traffic volume which does not go away when recursion is disabled. Even if the use is not malicious, you probably have no desire to allow everyone on the Internet to use your nameserver.

Fixing the problem
To fix this issue it is best to disable recursion. If your nameserver is an authoritative server for your domains then it should not offer recursion at all. If your nameserver is a caching resolver for your own use then recursion should be restricted to questions from your own IPs only. Also consider firewalling off your resolver to only allow access from IPs that should have it.

It is not recommended to use a single nameserver as both a caching resolver and an authoritative server.