9.3.2 recursive only for local host

Kevin Darcy kcd at daimlerchrysler.com
Thu Nov 16 03:39:31 UTC 2006


James Lockie wrote:
> I am running bind 9.3.2 on a static IP that changes.
> I would like restrict bind to be recursive only for localhost.
>
> The problem is that if I put servers in the /etc/resolv.conf, it uses
> those DNS servers to resolv my domain and it may cache old information.
> When the IP changes, I update named on the localhost and use nslookup
> mydomain to test the changes.
> I don't want to wait for other servers to clear their cache so I can
> test it.
>   
allow-recursion { localhost; };

Note, however, that if you allow *any* recursion, you will cache results 
that can then, in the absence of any additional safeguards, be retrieved 
by any client. This information disclosure can, to the paranoid, even be 
considered a way for potential evildoers to "profile" you by seeing what 
sites your web users are visiting, etc.

If you really want to keep things nailed down, you should probably use 
allow-query and/or allow-query-cache (the latter is new as of BIND 9.4) 
in addition to allow-recursion, in order to more accurately control who 
can resolve from you and who can't.

                                                                         
                                    - Kevin



More information about the bind-users mailing list