Recursion Off

Kevin Darcy kcd at
Wed Nov 24 21:57:58 UTC 2004

David wrote:

>Currently our DNS allows recursive queries from all users.  We would
>like to tighten up our security and limit the public use of our DNS.
>Our current DNS uses views to allow "internal" users access to our
>machines and those on the Internet and to resolve "external" queries
>from the public to our machines.
>By turning off recursion in our "external" view, will this completely
>restrict "external" users from abusing our DNS with queries that we
>are not the authoritative source for?  Does the cache need to be
>cleared and disabled?  What will our DNS response be when a recursive
>query is made for which we are not the authoritative source?
Decling recursion for a particular client means just that: that the 
nameserver (resolver, actually) won't perform recursion for that client. 
In and of itself, however, it doesn't prevent named from responding with 
data for which it doesn't need to recurse, i.e. data from authoritative 
zones, or data from the cache. To prevent access to the cached data, you 
either need to:
a) set allow-query restrictions, e.g. a global restriction that only 
allows your internal clients to query, overridden by allow-query { any; 
}; for each authoritative zone you serve, (note that allow-query will 
cause a REFUSED response to be returned for declined queries, rather 
than the "upward referral" you specified in your message), or
b) you need to separate your authoritative nameserving function from 
your recursive-resolver function. You can achieve this separation by 
running those on separate nameserver instances, or if you don't have 
enough nameserver instances to accomplish that, with separate "view"s on 
the same nameserver instance(s). See the BIND 9 documentation for 
information on "view"s.

                                 - Kevin

More information about the bind-users mailing list