We could talk a lot about DNS functionality, however, let’s concentrate at the moment on one major DNS component, the recursive DNS server.
Recursive DNS server explained.
The Recursive DNS server is responsible for searching for data that is required for answering the queries of the users. Recursion in computing is associated with a method for solving a problem. That means a program or solution is going to repeat itself until it reaches the goal.
The recursive server operates between the authoritative DNS server and the end-users that make the requests.
Every time a user wants to visit a website, it requests its domain name, and the recursive DNS server is the one seeking its IP address (IPv4 or IPv6). Once the recursive server gets the required IP address, it goes back to the device (browser) of the user that initiated that request the first time. Then the laptop, smartphone, or whatever device is using the user receives the information, and it is able to connect to the IP address and load the website.
Types of lookup
The recursive DNS server could complete the lookup for the information in two different ways.
The first type of search needs a more extended period of time to be performed. This is because the recursive server has to go through a long path to get the wanted data. First, it reaches the root server, next to the TLD (Top-Level-Domain) server, and lastly to the authoritative DNS server, which provides the answer to the query.
For that reason, the recursive server has only one goal – to search for information.
The second type is the easier and quicker path. The recursive server is able to get the IP address from its cache memory. For a certain amount of time, this server can store the data in its cache. The administrators can set for how long by the TTL (time-to-live) value.
When the user makes a query, the recursive server will first check for the IP address in its cache memory. The query finds its answer if the data is still available there and the TTL has not expired yet. That is a great advantage because the response is quick, and the recursive server doesn’t have to look further in other servers.
DNS cache poisoning attacks and Recursive DNS server
DNS cache poisoning attack (DNS spoofing) occurs when the recursive DNS server seeks an IP address from a different DNS server. The cybercriminal stops the request, and instead of the accurate data, the attacker gives a fake answer. Usually, it is an IP address pointing to a malicious website. That is how the DNS cache poisoning attack is completed.
The issue is not just that the recursive server provided the user with a fraudulent IP address. Further, the server will save the answer on its cache, leading to a significant problem. Each user who wants to visit that website is going to receive the fraudulent IP address and enter the malicious website. Such an attack could affect a lot of users.