My DNS Server Doing Recursive Lookups for the World?

Nate Campi nate at
Mon Feb 25 18:42:24 UTC 2002

On Mon, Feb 25, 2002 at 04:48:26PM +0000, eric at wrote:
> How do I keep from operating an "open" or "public" dns server?
> I want my dns server to:
> 1.	Answer queries from the outside for servers in my own domains.
> 2.	Do recursive lookups for my own users.
> I want to prevent people from the outside from configuring their
> systems to use my dns server for name resolution.

In named.conf, in the options{} section:

allow-recursion {;; };

Put in the nets you want to allow. You can use acls too:

acl recursive-nets {; 		// internal workstation net;		// dev server net

Then use the acl in your allow-recursion statement:

allow-recursion { recursive-nets; };

Easier to comment things this way. The benefits are more apparent when
you also use acls for all your directives that take IPs (like  
allow-transfer, also-notify, etc).
Nate Campi     Job: hostmaster at and root at

The only way to convince some people that HTML is about content, not
style is with a 2x4 <PLANK>.

More information about the bind-users mailing list