Disable recursion externally, allow internally

milney_boy milneyboy at googlemail.com
Thu Apr 27 10:26:41 UTC 2006


Hello,

I'm trying to set up a BIND (version 9.2 i think) server to host DNS
for my domains.  I have set up a RHEL server with a public IP address
and am now confguring BIND.

As background info, my resolv.conf file has one "nameserver
xxx.xxx.xxx.xxx" line, where xxx.xxx.xxx.xxx is the public IP address
that I have given the server (I am not using NAT for this).

I want to set up BIND to allow recursive queries when I do internal
nslookups, but to not when a query comes from anywhere else.

I have tried views, to split the named.conf and specify an "internal"
view where:

match-clients { localhost; };
recursion yes;

and an "external" view where:

match-clients { any; };
recursion no;

This appears to work as a query from another server appears to not
return a recursive result, whereas a local nslookup does resolve.
However, as I have listed my domains in the "external" view so that
they will be resolved correctly on the internet, it appears that they
no longer resolve from an internal query.

I don't want to have to list all my domains twice; once in the
internal, once in the external though.  I also think it is causing
problems with nsupdate as i get a message ";;connection timed out. no
servers could be reached" when trying to update one of the domains
listed in the "external" view (i have specified allow-update{ any; };).

I have tried to use "allow-recursion { localhost; };" as this should
solve my problem in theory, but in practice it does not work as it
still allows external recursive queries.

If anyone can offer me any suggestions as to how to set up this
external/internal recursion, I would be very grateful.  Apologies if i
seem naive, but I am relatively new to BIND.

Thanks,

Andrew



More information about the bind-users mailing list