Recursive DNS Should Not be Used to Access Cloud Platform

Recursive DNS is what Google and other Public Services provides to run recursive query for which the DNS server will fully answer the query. When we visit a website on the Internet, suppose this website, irrespective of the Operating System, the computer will find the address via Domain Name System. When we are using our home computer to browse the internet, it will request each website address from our Internet Service Provider (ISP). Normally, the Internet Service Provider (ISP)’s DNS set (usually two in number) is/are used to connect to Internet, however; using Google’s Public DNS or Recursive DNS uses the cached query done by the average Internet user from hundreds of DNS lookups each day. It significantly increases the browsing speed, it is possibly great for “just an user” but it is dangerous to use to access Cloud Platform where proper identity management system is working – simple example can be SSH to OpenShift or Rackspace, pushing WordPress Plugin to SVN and so on.

What is This Recursive DNS ?

Google Public DNS is an example of Recursive DNS handling more than 130 billion requests per day. It functions as a recursive name server providing domain name resolution for any host on the Internet for making the web faster. The addresses are mapped to the nearest operational server by anycast routing. Google DNS has specific easy to remember IPv4 and IPv6 addresses :

If you use any Cloud DNS service, you possibly know that; most do not use conventional DNS name server, such as BIND, instead rely on a specific built implementation, standards are set forth by the IETF.
However, the usage of Recursive DNS is for speeding up or for emergency rescue. For recursive requests the server will attempt to find the website in question in its local cache. If it cannot find an answer it will query other DNS servers on behalf until it finds the address. It will then respond to the original request with the results from each server’s query.

In theory, authoritative name servers are sufficient for the operation of the Internet. However, with only authoritative name servers operating, every DNS query must start with recursive queries at the root zone of the Domain Name System and each user system would have to implement resolver software capable of recursive operation. Typically, included caching DNS servers, implement the recursive algorithm necessary to resolve a given name starting with the DNS root through to the authoritative name servers of the queried domain.

Why Recursive DNS Should Not be Used to Access Cloud Platform ?

Servers which support this type of requests are vulnerable to fake requests from a spoofed IP address. This is basically called Amplifier attack. Your server if has a Public access could be placed upon DNS blacklists. So, from being Server Administrators, we should block this requests. For servers, you are probably adding the chance of various types of attacks. Unfortunately, this is never blocked by default by any cloud service providers for Public IPs. A simple example can be, a CDN which was serving a website made private (take the example of OpenStack Swift), it is not great if you run API based access while using Google DNS. You are convinced that the container is Private, but in reality, it can be accessed by the script kiddies.

When we are using Recursive DNS to connect the Internet, the danger increases. Theoretically, DNS Poisoning should not happen with specifically Google DNS, but in practice, a loophole can be used. Internet has many underlying weaknesses, which are not disclosed by the responsible chair holders. We hope, we have pointed you towards the possible risks and you should avoid it.