It is a known fact that supporting open DNS recursion on your name servers is not recommended. Recursive queries cause more load on the name server and as I show in this article, it significantly degrades performance. I will quantify the result and show that the average failure rate of name servers that support open recursion is much higher than name servers that do not do so.
Name servers can have their own database, or be caching only. Name servers that have their own database are authoritative for the domain names in their database and they answer to DNS queries for those domain names. Caching only name servers are the ones that your internet service provider (ISP) provides. The ISP’s name servers support open recursion as they are meant to answer DNS queries for any domain name. A recursive DNS lookup starts with one of the root name servers which directs the requester to a TLD name server which directs the requester to an authoritative name server. The authoritative name server knows the answer to the DNS query for domain names in its database (One sets the authoritative name servers at the domain name registrar). So, for one recursive DNS query, there are typically three DNS queries involved. This takes a longer duration and uses more resources than an authoritative DNS query.
There are also name servers that have their own database (i.e. are authoritative for some domain names) and also support open recursion. I will try to elaborate on this type of name servers and their failure rate as compared to database only name servers.
The data consists of 263,000 name servers out of which 38,000 name servers support open recursion (14.42%). Based on queries on SolveDNS, the data consists of more than 10 million DNS queries across these name servers.
The failure rate of a name server is the number of times it did not respond to a DNS query within 500 milliseconds divided by the total number of queries. 500ms is a very generous timeout duration and less than 3% of name servers have an average speed greater than 500 ms. I decided to ignore those name servers. I also decided to ignore name servers with a failure rate greater than 10% as these name servers are just highly misconfigured and do not provide a correct interpretation of the data.
The following table shows the difference between the mean failure rate of name servers that support open recursion and database only name servers.
|Type||Mean Failure Rate||95% Confidence Interval|
|Database Only (No Recursion)||0.064% (1 in 1500 queries)||[0.062%, 0.066%]|
|Database and Open Recursion||0.104% (1 in 900 queries)||[0.096%, 0.111%]|
As the above table shows, name servers that are authoritative only have a much lower failure rate as compared to name servers that support open recursion. The confidence interval also shows that recursive name servers also have a lot more variability.
The following graph shows the density of the failure rates. It shows that name servers that support open recursion have a low density in the area of low failure rate and high as the failure rate increases (the red curve).
Here are a few more statistics that are noteworthy:
- The T-Value (Welch’s two sample test) of the difference in the mean failure rates of recursive and non-recursive name servers is 9.71. This is statistically significant at any confidence level.
- The skewness of the distribution of failure rate of recursive name servers is 8.60 and for non-recursive name servers is 11.08. A higher skewness implies that more data lies to the left of the mean (i.e. lower failure rate).
Based on this data and analysis, it is highly recommended that you don’t put your domain name on name servers which support open recursive queries. In this age of security and cyber attacks, you never know who could be using your name server without your knowing about it!