turning off recursion - bind 8.2.5 REL

[Barry Margolin]

In article <a00cbh$ks6 at pub3.rc.vix.com>, Tony <tony.wong at stanford.edu> wrote:
>I am confused on how recursion works and why it should be turned off for
>security reasons.
>
>Can soeone please explain

You should turn it off by default to reduce the load on your server.  If
you're running a caching server, it's presumably intended to serve your
users; allowing recursion by default would permit anyone on the Internet to
use it, which could overload it and reduce its performance for the intended
customer base.  Allow recursion only for your users' address blocks.

Also, crackers can make use of recursive queries to poison the cache of
your server.  They send it a query, and then send it a forged response to
the query that they expect your server to send out in order to satisfy the
query.

Finally, if you're operating an authoritative-only server, you should
disable recursive queries entirely, since there's no reason anyone should
ever send recursive queries to it.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.