Recursion question

Kevin Darcy kcd at daimlerchrysler.com
Fri Oct 6 20:46:37 UTC 2006 

Steve Ingraham wrote:
> I have a question concerning my name servers.  In doing a check of my
> DNS configuration I ran a DNS report from www.dnsreport.com
> <http://www.dnsreport.com/> .
>  
>
> One of the failures the report noted on our NS records is that our
> domain failed the open DNS server test.  Is this a critical issue I
> should resolve?  What problems should I be aware of with this issue?
>
>  
>
> I have read where I should set:
>
>  
>
> Options {
>
> recursion=no;
>   
That should be "recursion no". No equals-sign.
> };
>
>  
>
> in the named.conf file.  Is that all I need to do to correct this
> problem?
>   
Perhaps you should ask the dnsreport.com folks that question.

Note that if you set "recursion no", your clients won't be able to use 
that instance (or that view) for resolving Internet names any more. 
They'd need to use some other instance or some other view.

You can get more fine-grained behavior by using allow-recursion instead 
of "recursion no". You could, for instance, allow your own clients to 
recurse, but not anyone else's. The downside of this is that data in 
your cache would still be available to external clients, since no 
recursion is necessary to answer with data from cache. To tighten things 
up further, then, it was necessary in the past to nail things down via 
allow-query rather than allow-recursion, so that only your clients can 
query anything outside of your own authoritative zones. This was rather 
cumbersome, though, since it required an explicit "allow-query" on every 
authoritative-zone definition, so as of 9.4, ISC implemented the 
following feature:

	New option "allow-query-cache".  This lets allow-query be
	used to specify the default zone access level rather than
	having to have every zone override the global value.
	allow-query-cache can be set at both the options and view
	levels.  If allow-query-cache is not set allow-query applies.

I haven't played with that yet though.
> Two other failures have me concerned.  One states I have a "Missing
> Stealth Server".  Another states that there is a "Stealth NS record
> leakage".  Can someone explain what these two failures are about and
> what I need to do to correct them?
>   
I'm not sure what they're getting at either -- how would they even know 
about "stealth" servers, and why would they care? Perhaps you should ask 
them for clarifications.

                                                                         
- Kevin

More information about the bind-users mailing list