Turned recursion off and now lookups not working

Kevin Darcy kcd at daimlerchrysler.com
Wed Oct 11 20:45:16 UTC 2006


Steve Ingraham wrote:
> Kevin Darcey wrote:
>   
>> It's only the *external* clients you don't want to recurse for. You
>>     
> still >may need to recurse for your *internal* clients, unless they
> don't require >resolvability of Internet names (e.g. if everything is
> behind application->level proxies), or, alternatively, you intend to
> host the whole Internet >DNS namespace on your computer (biiiiiig box).
>
>   
>> Options: run separate boxes for hosting versus recursion, separate BIND
>>     
>
>   
>> instances on the same box, separate "view"s within the same instance,
>>     
> or 
>   
>> control queries and/or recursion via allow-query and/or
>>     
> allow-recursion. 
>   
>> Note that BIND 9.4.0 just came out with an "allow-query-cache" option, 
>> which makes allow-recursion a little more palatable -- previously,
>>     
> since 
>   
>> answers from the cache do not require recursion, this data was
>>     
> available 
>   
>> to external clients regardless of the allow-recursion settings, which 
>> was arguably  "information leakage" that might not make one's security 
>> administrators/auditors very happy.
>>     
>
>   
>> There was recently a thread here on a very similar topic. See the posts
>>     
>
>   
>> with the subject line "recursion question" at 
>> http://marc.theaimsgroup.com/?l=bind-users&w=2&r=1&s=recursion+question
>>     
> &q=b
>
>
> I am the person who originated that original question you are referring
> to.  I am still somewhat fuzzy on the recursion thing.  I have set up
> the named.conf file with the option line also:
>
> {
> recursion no;
> };
>
> I have not seen any problems with user access to the internet.  I do
> have an internal DNS server inside the firewall running Windows 2000 as
> an internal DNS server.  In my ignorance of much of the issues
> associated with DNS I have concluded that this internal DNS is allowing
> our client machines to resolve names.  Is this a correct assumption on
> my part?
>   
Think of "recursion no" as an evil shrink ray that turns your mighty 
superhero resolver into a meek little non-recursive nameserver, 
basically little more than a specialized database server. Once 
diminished like that, it can *only* answer from its own authoritative 
data (i.e. data in zones that are defined as type master or type slave), 
and won't lift a finger to query other nameservers on a client's behalf. 
But, at least with its recursive capabilities wing-clipped, its 
query-answering powers can only be used for good :-)

If a nameserver has "recursion no", therefore, I think reasonable to 
conclude that the internal stub resolvers (e.g. end-user clients) 
pointed to that nameserver, if any, don't actually need to resolve 
Internet names. Presumably this is because all of their interaction with 
the Internet is done through application-level proxies (e.g. web 
proxies, mail gateways, etc.), and it's the *proxies*, not the end-user 
clients, that are doing the Internet name resolution, using their own 
resources.

As for resolving internal names, "recursion no" imposes the burdensome 
requirement that every internal zone needed by a given community of stub 
resolvers be defined as master or slave on the nameserver (or view) 
which serves those stub resolvers. This doesn't scale very well, 
especially if you have diverse business units which need to co-ordinate 
the setup and ongoing maintenance of multiple master/slave relationships 
between each other's servers. It can also be viewed as overkill to slave 
a zone for which queries are infrequent (how _much_ overkill depends on 
a variety of factors, e.g. REFRESH setting relative to the TTLs of the 
more-popular RRsets, frequency of changes to the zone, size of the zone, 
whether the master and slave both support IXFR, etc.). Regardless of 
those considerations, sometimes it's necessary to slave a zone, just to 
provide maximum redundancy/availability.

Just because you slave a zone, of course, doesn't mean you attract query 
traffic for that zone from foreign resolvers. You can be a "stealth 
slave", which doesn't appear in the NS records of the zone.

For the foregoing reasons, I only define "recursion no" on our primary 
master server for the internal DNS (which is only supposed to 
communicate to other DNS programs via non-recursive transactions, 
including zone transfers), and in one of the views of our 
Internet-facing boxes. Everything else has recursion enabled.

- Kevin




More information about the bind-users mailing list