Recursion Off

David yeodavid at
Wed Nov 24 20:38:12 UTC 2004

Currently our DNS allows recursive queries from all users.  We would
like to tighten up our security and limit the public use of our DNS.

Our current DNS uses views to allow "internal" users access to our
machines and those on the Internet and to resolve "external" queries
from the public to our machines.

By turning off recursion in our "external" view, will this completely
restrict "external" users from abusing our DNS with queries that we
are not the authoritative source for?  Does the cache need to be
cleared and disabled?  What will our DNS response be when a recursive
query is made for which we are not the authoritative source?

Using nslookup, I tried using a Yahoo DNS server to look up
and got this:

Non-authoritative answer:
*** Can't find No answer

Authoritative answers can be found from:
.       nameserver = K.ROOT-SERVERS.NET.
.       nameserver = L.ROOT-SERVERS.NET.
.       nameserver = M.ROOT-SERVERS.NET.
.       nameserver = I.ROOT-SERVERS.NET.
.       nameserver = E.ROOT-SERVERS.NET.
.       nameserver = D.ROOT-SERVERS.NET.
.       nameserver = A.ROOT-SERVERS.NET.
.       nameserver = H.ROOT-SERVERS.NET.
.       nameserver = C.ROOT-SERVERS.NET.
.       nameserver = G.ROOT-SERVERS.NET.
.       nameserver = F.ROOT-SERVERS.NET.
.       nameserver = B.ROOT-SERVERS.NET.
.       nameserver = J.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET      internet address =
L.ROOT-SERVERS.NET      internet address =
M.ROOT-SERVERS.NET      internet address =
I.ROOT-SERVERS.NET      internet address =
E.ROOT-SERVERS.NET      internet address =
D.ROOT-SERVERS.NET      internet address =
A.ROOT-SERVERS.NET      internet address =
H.ROOT-SERVERS.NET      internet address =
C.ROOT-SERVERS.NET      internet address =
G.ROOT-SERVERS.NET      internet address =
F.ROOT-SERVERS.NET      internet address =
B.ROOT-SERVERS.NET      internet address =
J.ROOT-SERVERS.NET      internet address =

I'd like our server to spit out something like this when an
unauthorized user tries to use our DNS.

More information about the bind-users mailing list