1

I am reviewing DNS concepts and came across this diagram enter image description here

This diagram of a DNS recursive query seems inaccurate to me. From my understanding of DNS, the root name servers, the TLD name servers and the authoritative name servers do not perform recursive queries.

From my understanding a recursive resolver returns a response for a DNS query from its cache or makes a series of iterative queries to the root name server, TLD name server and authoritative name server until it gets the mapping from domain to IP.

This diagram seems to indicate that the resolver doesn't do these iterative steps and that the root name server, TLD name server also do recursive queries.

Given the contradiction between other sources and this diagram, I would like to know if this diagram is inaccurate or if my understanding of a recursive query is flawed.

Improve this question

1 Answer 1

Reset to default
2

No, the diagram is not accurate. Root servers never do recursion, and for that matter neither do TLD servers, nor servers authoritative for any other domain (in general). If a root server or a TLD server is queried for a domain that it isn't authoritative for, it'll only return a "referral" response.

(Accordingly, the "Recursive query" label is in the wrong place as well. The queries your PC or your local cache/proxy makes are recursive, but the ones made by the ISP's server aren't.)

You can test this using common DNS client tools – none of those servers restrict who can access them (i.e. they are not "ISPs only" or anything like that). For example, if you have dig installed, you can do:

dig superuser.com @a.root-servers.net

and even though the query had the "Recursion desired" bit (RD), the server will only reply with a referral – no answer records, only 'authority' records that point elsewhere.

On Windows you can do roughly the same using nslookup (maybe with the -d option or set debug to see the full response contents):

nslookup -d superuser.com a.root-servers.net

(You can even install your own DNS resolver on Linux, such as BIND or Unbound, and query it while watching the DNS packets it sends/receives through Wireshark.)

¹ Root servers themselves are just "authoritative servers" too – authoritative for the root domain . specifically. Likewise, TLD servers are merely servers that are authoritative for the top-level domain.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .