Subscribe to the Non-Human & AI Identity Journal
Home Glossary Cyber Security Open Recursion
Cyber Security

Open Recursion

← Back to Glossary
By NHI Mgmt Group Updated July 12, 2026 Domain: Cyber Security

A DNS configuration where a resolver answers recursive queries from untrusted internet sources. If left exposed, it can be abused for amplification attacks and is therefore a security exposure that needs ownership, validation, and ongoing review.

Expanded Definition

Open recursion is a DNS resolver configuration issue, not a DNS protocol flaw. It appears when a recursive resolver answers queries from any internet source instead of limiting recursion to approved clients, networks, or authenticated users. In practice, that means the resolver can be used by outside parties to perform lookups and, in abuse scenarios, to support amplification and reflection attacks. Within cybersecurity operations, the term describes an exposure that sits at the boundary between service availability, network trust, and configuration governance. NIST guidance on access control and system hardening, including NIST SP 800-53 Rev 5 Security and Privacy Controls, is relevant because the issue is fundamentally about restricting who can use a service and under what conditions.

Definitions are broadly consistent across the industry, but operational detail varies: some teams treat any publicly reachable recursive service as open recursion, while others reserve the term for resolvers that permit recursion without meaningful client restriction. The distinction matters because a resolver can be publicly reachable for authoritative queries and still be safely configured, so reachability alone is not the same as exposure. Open recursion is commonly confused with authoritative DNS exposure, or with DNS forwarding arrangements that are intended and controlled. The most common misapplication is labelling any internet-facing DNS server as open recursion, which occurs when operators fail to verify whether recursion is actually enabled for untrusted clients.

Examples and Use Cases

Implementing recursive DNS safely often introduces administrative friction, requiring organisations to balance resolver convenience for legitimate users against the security cost of accepting queries from the public internet. Authoritative guidance from sources such as IETF RFC 1034 helps separate recursive resolution behaviour from authoritative name service, while operational control expectations are reinforced in CISA DNS security guidance.

  • An enterprise resolver serves internal users only, with recursion restricted to corporate subnets or VPN ranges.
  • A cloud-hosted DNS service is audited and found to accept recursive queries from any IP address, creating a potential reflection vector.
  • A branch office forwards queries to a central recursive resolver, but firewall rules prevent outside clients from reaching the service.
  • A managed service provider operates shared resolvers and uses source restrictions plus rate limiting to prevent abuse by unauthorised networks.
  • A security team discovers that a legacy resolver was left in a permissive state after migration, making it a candidate for abuse in volumetric attacks.

Why It Matters for Security Teams

Open recursion matters because it turns a routine infrastructure component into an externally reachable resource that can be abused at scale. When teams fail to control recursion, they increase the risk of DNS amplification, create unnecessary service load, and weaken confidence in network boundary enforcement. From a governance perspective, the issue is not just availability but accountability: someone must own the resolver configuration, verify who is allowed to query it, and ensure the setting is reviewed after change events, migrations, or vendor handoffs. In identity and access terms, the concept is analogous to granting network-level privilege without scoping or review. It is also relevant to incident response because DNS abuse often emerges alongside broader reconnaissance or DDoS activity. The operational lesson aligns with the control intent of NIST SP 800-53 Rev 5 Security and Privacy Controls and DNS best-practice guidance from IETF RFC 8482 where limiting unnecessary exposure is part of resilient service design. Organisations typically encounter the consequences only after an abuse complaint, traffic spike, or upstream filtering event, at which point open recursion becomes operationally unavoidable to fix.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and NIS2 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-3Access to services should be limited to authorized users and devices.
NIST SP 800-53 Rev 5SC-7Boundary protection controls address exposure of services to untrusted sources.
ISO/IEC 27001:2022A.8.20Network security controls require protection of network services from misuse.
NIS2NIS2 requires resilient network and information system security across essential services.

Include DNS recursion review in resilience and incident-prevention processes for critical services.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org