recursive queries for subdomains

Kevin Darcy kcd at
Thu Dec 9 23:35:31 UTC 2004

saruman7 wrote:

>We are trying to setup bind so that our company's external facing dns
>servers will do recursive lookups to internal subdomains that have
>their own dns servers that are not world accessible, but we do not want
>the external dns servers to be able to do recursive lookups for other
>domains (i.e.,, etc.)  Can someone tell me how to set
>up recursive lookups in this manner?
>Currently our external dns servers have all recursion turned off with
>this setting in the named.conf file:
>allow-recursion { none; };
Looks like named.conf's syntax doesn't allow a per-zone 
"allow-recursion". Pity. If that were possible, you could define the 
subdomains (hopefully you mean sub*zone*s, since BIND is not nearly 
granular enough to apply access control to undelegated subdomains) as 
"type stub" and then just override the allow-recursion default.

In the absence of that, you don't have any really good choices. You 
could, of course, make your external server a slave for those subzones, 
but then you have to deal with the zone-transfer overhead...

                                                      - Kevin

More information about the bind-users mailing list