DNS Referrals On Client?


I learned something new last week. It has to do with DNS recursive vs. iterative lookups and how the client workstation handles them.

First of all, for those who don’t know, a recursive lookup is basically a name request that is forward on until a correct answer is returned [or a "Nobody knows who that is…" comes back]. This means that a DNS client will ask one server, that server will ask another, and so on until the answer is found and then pass it back along the chain to the original client.

An iterative lookup is when a server receives a request and not knowing the answer asks a higher authority where it can be found and then replies to the request with an answer like "I don’t know what you need, but I know someone who does. Here’s his address…"

The Windows DNS servers default to recursive lookups. Some people change this behavior. "Why?" you might ask. Well, the reasoning is sound… sort of. Let me explain.

Justification for changing a DNS server from recursive to iterative lookups usually has to do with load. A recursive lookup takes much more energy and cycles on the DNS server than does an iterative lookup. So, when a recursive server queries a name on the Internet, it keeps asking until it has an answer. This could take 1 iteration or 20 depending on how deep the forwarders go of both source and destination. An iterative lookup is only one iteration for the server, which then passes the processing burden to the client who requested it.

Sounds smart when you’ve got hundreds of thousands of machines querying the server, right? Wrong. Not when those machines are client workstations like Windows XP and Windows Vista. Both of these operating systems, and I suspect all versions of Windows and DOS for that matter ignore iterative referrals. They just drop them. The OS gratefully receives a reply, but does not "chase" or follow up on the referral information that an iterative response contains.

Some have found this out to their detriment by setting all Active Directory DNS servers to perform iterative instead of recursive lookups. This pretty solidly breaks Active Directory. So, DON’T DO IT.

That being said, there are perfectly valid reasons for changing to iterative in some limited cases. For instance, the root servers of the Internet MUST only support iterative requests, not recursive. Mostly, this is due to the immense load placed on them. Also, a stand-alone forwarding DNS server that is outside of the AD infrastructure might be a good place for this, but only if no client workstations point to it.

So – don’t use iterative on AD DNS servers or on client facing servers of any type.

Comments (0)

Skip to main content