Turning off recusion

blrmaani blrmaani at gmail.com
Fri Oct 20 00:17:29 UTC 2006


If the number of zones from which you are expecting replies are small,
you can add
them as forwarders.

blr

Kevin Darcy wrote:
> churchers at gmail.com wrote:
> > We have 3 nameservers which are now authorative for about 1000 domain
> > names and have,
> > unfortunately, been historically used as general purpose resolvers.
> >
> > I would like to turn off recusion but if I do, they start reporting any
> > domain name they don't run dns
> > for as being non-existant.
> >
> > --
> > pegasus# ping www.google.com
> > ping: cannot resolve www.google.com: No address associated with name
> > --
> >
> > Shouldn't they be referring the lookup to parent nameservers or am I
> > missing something?
> >
> > I don't want to break the ability for the server itself to be able to
> > resolve hosts. If this means
> > leaving recusion on, then i'll have to leave it as it is.
> >
> We get this question quite a lot. No-one should be turning off recursion
> unless they understand the ramifications. Recursion is *necessary* for
> your clients to be able to resolve things in zones you don't control,
> e.g. Internet names. Recursion is *unnecessary* for serving up zones to
> external/untrusted clients, and in fact it is recommended that recursion
> be disabled for such clients. So in order to follow that recommendation,
> you need to either
> a) run the resolving part on separate hardware from the hosting part
> b) run the respective functions within different instances on the same
> hardware (i.e. different instances of BIND configured with different,
> non-conflicting "listen-on" statements) listening on separate
> addresses/interfaces,
> c) run separate "view"s (recursion-enabled versus recursion-disabled)
> within the same BIND instance
> d) use some combination of allow-recursion/allow-query/allow-query-cache
> within the same instance and view, in order to allow your clients to
> recurse while at the same denying recursion to external/untrusted
> clients. Allow-query-cache is a recent addition to that list, existing
> so far only BIND 9.4, that, by controlling access to cached answers
> (which cannot be controlled by allow-recursion since no recursion is
> necessary to fetch them) relieves the administrator of the burden of
> defining a general allow-query which blocks all external clients, and
> then overriding that for each and every hosted zone.
>
>
>                            - Kevin




More information about the bind-users mailing list