Allowing recursion for just specific zones

Chris Buxton chris.p.buxton at
Wed May 12 06:37:17 UTC 2010

Yes, of course. I've made that mistake before, in fact.

Use a custom root zone, as I believe you originally mentioned, with
delegations to just the zones that should be reachable.

Or else set up secure proxies and disallow all DNS resolution (an
empty root zone).

Chris Buxton
BlueCat Networks

On 5/11/10, Brian Candler <B.Candler at> wrote:
> On Mon, May 10, 2010 at 11:54:57AM -0700, Chris Buxton wrote:
>> One strategy would be to set up a view that matches recursive queries
>> only. Set allow-query to none at the view, then set it any (or
>> whatever) in each zone of type forward or stub.
> Thank you Chris.
> Unfortunately, allow-query is rejected in forward zones. The error is
> explicit:
>     option 'allow-query' is not allowed in 'forward' zone ''
> The 9.2.4 ARM doesn't make this clear, but the 9.4.2 ARM does show a
> restricted grammar for forward zones:
> zone zone_name [class] {
>     type forward;
>     [ forward (only|first) ; ]
>     [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
>     [ delegation-only yes_or_no ; ]
> };
>> Or if you want to use your root zone idea, make sure to populate it
>> with delegations to the domains that should resolve.
> Interesting. It seems to work even if I just delegate to 'localhost',
> without having to hardcode the real NS RRs for the zone.  That seems like a
> bit of a frig though, which may confuse people maintaining it.  And ideally
> I'd prefer a REFUSED response to NXDOMAIN.
>> I'm not sure if the match-recursive statement existed in 9.2. You may
>> need to upgrade to something current.
> There is "match-recursive-only" (boolean). Does that match queries with the
> RD flag set?  If so it won't make a difference here, because all the clients
> are dumb endpoints which will set RD always.
> The application, by the way, is supporting a network of kiosk-like
> terminals.  They run some third-party applications which need to make
> external access to certain services across the Internet.  Of course, the
> firewall only lets them make connections to specific hosts/ports they need.
> However I want to give a similar level of control for DNS lookups too;
> otherwise, in the event of a virus infection, the virus could use the DNS as
> a covert channel.
> Regards,
> Brian.

Sent from my mobile device

More information about the bind-users mailing list