Turned recursion off and now lookups not working

Kevin Darcy kcd at daimlerchrysler.com
Wed Oct 11 00:12:14 UTC 2006 

wisptech at gmail.com wrote:
> I turned off recursive lookups in my bind server as recommended but now
> it will not resolve any domains (ie google.com) for clients.  Any help
> appreciated.  Below is my named.conf...
>
> options {
>         directory "/var/named";
>         dump-file "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         recursion no;
> };
>
> controls {
>         inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> };
>
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
>
> zone "localhost" IN {
>         type master;
>         file "localhost.zone";
>         allow-update { none; };
> };
>
> zone "0.0.127.in-addr.arpa" IN {
>         type master;
>         file "named.local";
>         allow-update { none; };
> };
>
> zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> IN {
>         type master;
>         file "named.ip6.local";
>         allow-update { none; };
> };
>
> zone "255.in-addr.arpa" IN {
>         type master;
>         file "named.broadcast";
>         allow-update { none; };
> };
>
> zone "0.in-addr.arpa" IN {
>         type master;
>         file "named.zero";
>         allow-update { none; };
> };
>
> include "/etc/rndc.key";
>
>
> << Zone definitions after this point >>

It's only the *external* clients you don't want to recurse for. You still may need to recurse for your *internal* clients, unless they don't require resolvability of Internet names (e.g. if everything is behind application-level proxies), or, alternatively, you intend to host the whole Internet DNS namespace on your computer (biiiiiig box).

Options: run separate boxes for hosting versus recursion, separate BIND 
instances on the same box, separate "view"s within the same instance, or 
control queries and/or recursion via allow-query and/or allow-recursion. 
Note that BIND 9.4.0 just came out with an "allow-query-cache" option, 
which makes allow-recursion a little more palatable -- previously, since 
answers from the cache do not require recursion, this data was available 
to external clients regardless of the allow-recursion settings, which 
was arguably  "information leakage" that might not make one's security 
administrators/auditors very happy.

There was recently a thread here on a very similar topic. See the posts 
with the subject line "recursion question" at 
http://marc.theaimsgroup.com/?l=bind-users&w=2&r=1&s=recursion+question&q=b

                                                                        
                            - Kevin

More information about the bind-users mailing list