Allowing recursion for just specific zones

Brian Candler B.Candler at
Tue May 11 08:21:36 UTC 2010

On Mon, May 10, 2010 at 11:54:57AM -0700, Chris Buxton wrote:
> One strategy would be to set up a view that matches recursive queries
> only. Set allow-query to none at the view, then set it any (or
> whatever) in each zone of type forward or stub.

Thank you Chris.

Unfortunately, allow-query is rejected in forward zones. The error is

    option 'allow-query' is not allowed in 'forward' zone ''

The 9.2.4 ARM doesn't make this clear, but the 9.4.2 ARM does show a
restricted grammar for forward zones:

zone zone_name [class] {
    type forward;
    [ forward (only|first) ; ]
    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
    [ delegation-only yes_or_no ; ]

> Or if you want to use your root zone idea, make sure to populate it
> with delegations to the domains that should resolve.

Interesting. It seems to work even if I just delegate to 'localhost',
without having to hardcode the real NS RRs for the zone.  That seems like a
bit of a frig though, which may confuse people maintaining it.  And ideally
I'd prefer a REFUSED response to NXDOMAIN.

> I'm not sure if the match-recursive statement existed in 9.2. You may
> need to upgrade to something current.

There is "match-recursive-only" (boolean). Does that match queries with the
RD flag set?  If so it won't make a difference here, because all the clients
are dumb endpoints which will set RD always.

The application, by the way, is supporting a network of kiosk-like
terminals.  They run some third-party applications which need to make
external access to certain services across the Internet.  Of course, the
firewall only lets them make connections to specific hosts/ports they need. 
However I want to give a similar level of control for DNS lookups too;
otherwise, in the event of a virus infection, the virus could use the DNS as
a covert channel.



More information about the bind-users mailing list