Yes, but typically such a server is either on a private network behind a NAT gateway and/or firewall, or it has a clearly defined set of addresses from which it will accept queries.
At least that is what I would do if I had to set up a recursive resolver. Mine sits in my private network at home behind a NAT router, so the chance of an attacker reaching it is small. If I were responsible for a nameserver with a public IP address, reachable from every corner of the Internet, I would seriously restrict whose queries it answers for a number of reasons. The one you mentioned among them, but also things like DNS cache poisoning.
TBH I am a little surprised that there have not been any large scale attacks on the DNS infrastructure, considering the fact that any sort of security was bolted on to DNS as an afterthought. DNSSEC is a step forward, but I have no clue if any resolvers and/or clients make use of it.
> TBH I am a little surprised that there have not been any large scale attacks on the DNS infrastructure, considering the fact that any sort of security was bolted on to DNS as an afterthought. DNSSEC is a step forward, but I have no clue if any resolvers and/or clients make use of it.
There have been _lots_ of large scale attacks on DNS infrastructure. DDoS against root servers, TLD servers, and well known nameservers is commonplace; occasionally with some success. Because DNS is mostly UDP, it works well with anycast, and anycast with many pops is a great way to handle traffic from a big DDoS. There's also a lot of good decisions in the protocol/general implementations that reduce the impact of outages.
DNSSEC is a bolt on intended to address response forgery, it doesn't address DDoS.
> There have been _lots_ of large scale attacks on DNS infrastructure.
Huh, I did not know that. Fascinating!
What I meant was that there have not been any disturbances that had widespread consequences; imagine that one day, out of nothing, it is impossible to get an answer for the .com zone, just for an hour or so. In my mind I see the news reporting about this the way they would report about a hurricane or earthquake. Unless a lot of their broadcasting / distribution also would be out of order. ;-)
Here's a blog entry [1] about an attack in 2016, with some references to other attacks.
The thing is, you have to maintain an attack for a long time to effectively disrupt service.
The root zone is published -- I imagine large recursive caches may use a local copy, rather than actually querying the root servers; but if they do query the root, the TTLs are 2 days; there's a pretty good chance your recursive resolver will have com. cached. The com. servers also give a 2 day TTL, so for popular domains, there's a good chance those are cached too. DDoS on the nameservers for domains can be effective, though. Even then, it's usually not a total outage.
A recursive resolver does not need to forward queries. ;-)
Conceptually, it starts with the root nameservers and works its way up - dot by dot, recursively, hence the name - until it finds the domain the host in question in it, then asks the nameservers for that zone and caches the result.
It is possible - with BIND9 at least, but I guess other DNS servers offer similar capabilities - to use forward servers for convenience/caching or to redirect queries to specific servers depending on the name in the query. But it is not mandatory.
