What is DNS Recursion and when should I use it with the ProxySG appliance?

book

Article ID: 168369

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You want to know what DNS Recursion is and when it's appropriate to use that feature with the ProxySG appliance.

Resolution

Non-recursive means that a DNS server can provide a partial answer or return an error to the client.

Recursive means that the DNS server either fully answers the query or returns an error to the client 

The process:

ProxySG Appliance Using Non-Recursive DNS 
If you have defined more than one DNS server, the ProxySG appliance uses the following logic to determine which servers are used to resolve a DNS host name and when to return an error to the client. 

Note: Servers are always contacted in the order in which they appear in a group list. 

The ProxySG appliance first checks all the DNS groups for a domain match, using domain-suffix matching to match a request to a group. 
  • If there is a match, the servers in the matched group are queried until a response is received; no other DNS groups are queried. 
  • If there is no match, the ProxySG appliance selects the Primary DNS group. 
  • The ProxySG appliance sends requests to DNS servers in the Primary DNS server group in the order in which they appear in the list. If a response is received from one of the servers in the Primary group, no attempts are made to contact any other Primary DNS servers. 
  • If none of the servers in the Primary group resolve the host name, the ProxySG appliance sends requests to the servers in the Alternate DNS server group. (If no Alternate servers have been defined, an error is returned to the client.) 
  • If a response is received from a server in the Alternate group list, there are no further queries to the Alternate group. 
  • If a server in the Alternate DNS server group is unable to resolve the host name, an error is returned to the client, and no attempt is made to contact any other DNS servers. 
Note: The Alternate DNS server is not used as a failover DNS server. It is only used when DNS resolution of the Primary DNS server returns a name error. If the query to each server in the Primary list times out, no alternate DNS server is contacted. 
  • If the ProxySG appliance receives a referral (authoritative server information), DNS recursion takes over if it is enabled. See the next section, ProxySG Using Recursive DNS and When to Enable Recursive DNS. 
Note: If the ProxySG appliance receives a negative DNS response (a response with an error code set to name error), it caches that negative response. See Caching Negative Responses. 

ProxySG Appliance Using Recursive DNS 
If you have enabled recursive DNS, the ProxySG appliance uses the following logic to determine how to resolve a DNS host name and when to return an error to the client. 
  • If the DNS server response does not contain an A record with an IP address but instead contains authoritative server information (a referral), the ProxySG appliance follows all referrals until it receives an answer. If the ProxySG appliance follows more than eight referrals, it assumes there is a recursion loop, aborts the request, and sends an error to the client. 
When to Enable Recursive DNS 
If you have a DNS server that cannot resolve all host names, it might return a list of authoritative DNS servers instead of a DNS A record that contains an IP address. To avoid this situation, configure the ProxySG appliance to recursively query authoritative DNS servers. 

Enable recursive DNS: 
  1. Select the Configuration > Network > DNS > Groups tab. 
  2. Select Enable DNS Recursion
  3. Click Apply. 
Disable recursive DNS: 
  1. Select the Configuration > Network > DNS > Groups tab. 
  2. Clear Enable.
  3. Click Apply.