Document toolboxDocument toolbox

Enabling Recursive Queries

Owned by Sri Raghu
Last updated: Sept 06, 2024
5 min read

You can enable Universal DDI to respond to recursive queries and create a list of allowed networks, IP addresses, and remote servers that present specified keys. Recursion is enabled by default. When you enable this feature, you can also create a list of clients that are allowed to perform recursive queries.

A recursive query requires the application to return requested DNS data, or locate the data through queries to other servers. When the application receives a query for DNS data it does not have, and you have enabled recursive queries, it first sends a query to any specified forwarder. If a forwarder does not respond (and you have disabled the Use Forwarders Only option), the application sends a non-recursive query to specific internal root servers. For more information about Forwarders, see Using Forwarders. If no internal root servers are configured, the application sends a non-recursive query to the Internet root servers. 

You can enable recursion for the application. If you do not enable recursion, it denies recursive queries from all clients.

You can configure the amount of time that a recursive query will wait for a response before timing out. The default behavior is to wait for 30 seconds before timing out.

Servers that are marked as authoritative, but do not respond as authoritative servers are called lame servers. You can specify the number of seconds to cache a lame server indication through the Lame TTL option. Lame TTL usually indicates the amount of time your name server remembers information about the remote name server that is not authoritative for a zone, which is delegated to it. When the Max Cache TTL for a record expires, the name server deletes the record from the cache.

A domain or sub-domain that is delegated to a server that is not authoritative for the domain is called lame delegation. It indicates that a zone file does not exist for the domain on the server.

You can also specify the maximum duration of time for which your name server caches negative responses through the Max Negative Cache TTL settings. The Max Negative Cache TTL sets the time limit for which the name server retains negative responses (NXDOMAIN/NXRRSET responses) in the cache. The name server deletes a negative response from the cache when the Max Negative Cache TTL period for the entry expires.

Enabling Recursion

To enable recursion for certain clients, complete the following:

  1. From the Infoblox Portal, click Configure > Networking > DNS, and click Global DNS Configuration. 
  2. In the Global DNS Configuration page, click Recursion.
  3. In the Recursion section, click Allow recursion to enable recursion, and specify the following:

    • Resolver query timeout: Specify the maximum time allowed for a recursive query to wait for a response before timing out. You can enter a value between 10 and 30 seconds. The default value is 10 seconds.

    • Max Cache TTL: Specify the maximum duration of time for which the name server caches positive responses. Select the period in seconds, minutes, hours, days, or weeks from the drop-down list. The minimum value is 1 second and the maximum value is 604800 seconds (7 days). The default value is 604800 seconds (7 days).

    • Max Negative Cache TTL: Specify the maximum duration of time for which the name server caches negative responses. Select the period in seconds, minutes, hours, days, or weeks from the drop-down list. The default value is 10800 seconds (3 hours), minimum value is 1 second and the maximum value is 604800 seconds (7 days).

    • Recursive Client Query Limit: When a recursive name server receives queries and it is not authoritative, the recursive name server needs to ask other name servers to get answers for those queries. Until the recursive name server learns the answers, the recursive queries remain outstanding. The recursive name server puts a limit on how many outstanding recursive queries it allows. The default value for outstanding recursive queries is 1000. Specify a value between 1 and 15000 for this field.
  4. Click Save & Close to save.

If you have set the Resolver query timeout to a value less than 10 seconds, it will default to 10 seconds automatically. 

Allow Recursive Queries From

To create a list of clients that are allowed to perform recursive queries, complete the following:

  1. From the Infoblox Portal, Configure > Networking > DNS, and click Global DNS Configuration. 
  2. In the Global DNS Configuration page, click Recursion.
  3. In the Recursion section, click Allow recursion > Add to add or click Remove to remove the entries under the ALLOW RECURSIVE QUERIES FROM section. Select one of the following from the TYPE drop-down list:
    • Any Address/Network: Select this option to allow or deny queries from any IP addresses. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Address: Select this option to add an IPv4 address. Click the VALUE field and enter the IP address of the remote clients. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • IPv4 Network: Select this option to add an IPv4 network address to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and selecting Deny from the drop-down list.

    • Named ACL: Select this option to add a named ACL. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, it is displayed automatically. When you select this option, the application allows clients with valid permission to perform recursive queries.

    • TSIG: Select an existing TSIG Key. For more information, see Configuring TSIG Keys. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    You can reorder the rows using the up and down arrows next to the table.

  4. Click Save & Close to save.

About Root Name Servers   

Root name servers contain the root zone file which lists the names and IP addresses of the authoritative name servers for each top-level zone. When a root name server receives a query for a domain name, it provides at least the names and addresses of the name servers that are authoritative for the top-level zone of the domain name.

You can configure Universal DDI to use Internet root name servers or custom root name servers. If you enable recursive queries and the application receives a recursive query it cannot resolve locally, it queries specified forwarders (if any) and then queries any root name servers you configure. If you do not specify internal root name servers and the application can access the Internet, it queries the Internet root name servers.

To specify root name servers, complete the following:

  1. From the Infoblox Portal, click Configure > Networking > DNS, and click Global DNS Configuration. 
  2. In the Global DNS Configuration page, click Recursion.
  3. In the Recursion section, click Allow recursion, and select one of the following options:
    • Use Internet root name servers: This option is selected by default.

    • Use custom root name servers: Select this option to use custom root name servers instead of the default name servers. Click Add and enter the following information when a new row appears:

      • Name: Enter a name for the root name server.
      • Address: Enter an IPv4 address for the root name server.

    Select the respective check box and click Remove to delete a root name server.

  4. Click Save & Close to save.