Public DNS - recursion no - Access to the Internet

Pascal Hambourg pascal.mail at
Mon Feb 19 16:10:45 UTC 2007

Barry Margolin a écrit :
>>>The reason it didn't work for him was that he only put in his 
>>>allow-recursion ACL.
>>No, the reason was that "allow-recursion" was kept to "no".

I meant "recursion" instead of "allow-recursion".

>>>But when you use in your resolv.conf [corrected quote], it 
>>>doesn't send from/to, it sends to one of the machine's real 
>>>NIC addresses,

This is not what I observed on a Debian GNU/Linux system. When 
resolv.conf contains "nameserver" or no nameserver entry or does 
not exist, DNS queries are sent to, with source address So it does not seem that the resolver seeks any local 
addresses on "real" network interfaces. My understanding is that 
"nameserver" is invalid and ignored. In this case, is 
used as the default nameserver, as stated by the resolv.conf manpage : 
"If no nameserver entries are present, the default is to use the name 
server on the local machine". Other OSes may behave differently.

>>Do you mean that as a nameserver address in resolv.conf is legal 
>>and means "any local address" ?
> Yes.  Read the above quote from "DNS & BIND".

I did, and reacted because I do not agree with it. To me can be 
used as "this host" in a source address in special cases (e.g. DHCP 
queries) or as an "any local address" wildcard when creating a socket 
(e.g. "Listen" in Apache setup). But I have never seen that it 
may be considered as a wildcard remote destination address by any IP 

> I believe RFC 1122 says that the default source address should be the 
> outgoing interface.  When sending to your own address, the outgoing 
> interface is the one whose address you're sending to, so the source and 
> destination addresses will be the same.

In common OSes, when sending to any of your own addresses the outgoing 
interface is the loopback interface. So, according to what you wrote, 
the default source address should be the loopback address, 
But this is not what is commonly observed. The Linux 2.4 kernel uses ::1 
as the default IPv6 source address when sending to a local address. But 
this was changed at least in recent 2.6 kernels which use the same 
address as the destination, just like in IPv4.

More information about the bind-users mailing list