CNAMEs pointing to outside domains

Kevin Darcy kcd at
Wed Jun 19 01:56:24 UTC 2002

Vincent Aniello wrote:

> "Simon Waters" <Simon at> wrote in message
> news:aenrqm$663r$1 at
> >
> > Vincent Aniello wrote:
> > >
> > > If this is the case then I am
> > > going to get complaints from users that try nslookups on the CNAME
> records
> > > pointing to outside domains.
> >
> > You shouldn't as your users are presumably on networks to which
> > you allow recursion?
> By users I was also referring to customers performing nslookups from the
> Internet.  The customers networks are not in the list of trusted networks on
> my DNS servers.

Disabling recursion is becoming more and more a standard practice, as awareness
increases of Denial-of-Service and cache poisoning attacks. Also, a lot of
organizations don't like folks freeloading off their nameservers. Given this,
none of your customers should be surprised if your nameserver declines to
recurse to fetch the target of a CNAME, when the query comes from outside of
your own network.

- Kevin

More information about the bind-users mailing list