Question About Recursion In A Split Horizon Setup

Tim Daneliuk tundra at
Fri Apr 17 14:33:42 UTC 2020

On 4/17/20 7:26 AM, Bob Harold wrote:
> On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <tundra at <mailto:tundra at>> wrote:
>     We have split horizon setup and enable our internal and trusted hosts
>     to do things as follows:
>         allow-recursion { trustedhosts; };
>         allow-transfer  { trustedhosts; };
>     'trustedhosts' includes a number of public facing IPs as well as the
>     192.168.0/24 CIDR block.  It also includes the IPs of the Master and
>     Slave bind servers.
>     So here's the part that has me wondering.  If I do a reverse lookup of
>     an IP, it works as expected _except_ if I do it on either the Master
>     or Slave machines. They will not only look up reverses on our
>     own IPs, they won't do it for ANY IP and returns the warning:
>         WARNING: recursion requested but not available
>     This is replicable with 9.14 or 9.16 (or was until today's assert borkage)
>     running on FreeBSD 11.3-STABLE.  Master is on a cloud server, Slave is
>     on a physical machine.  Neither instance is jailed.
>     Ideas?
>     -- 
>     ----------------------------------------------------------------------------
>     Tim Daneliuk     tundra at <mailto:tundra at>
>     PGP Key:
> Is in the 'trustedhosts' list?


> Are you telling 'dig' what server to use  - dig @*MailScanner warning: numerical links are often malicious:* <>

No.  But when I do, it works properly.  Doesn't dig default to localhost (in this case the host running bind)?

> What servers are listed in /etc/resolv.conf?  Do they resolve the reverse zones?

There is no resolv.conf on these machines.  They are the ones running the nameservers.

> Are local queries hitting the right 'view' (if you have multiple views) ?

Yes, IF I explicitly point dig to the right nameserver.

So ... what's going on is that dig appears to not be using localhost first to resolve reverses.

> -- 
> Bob Harold

Tim Daneliuk     tundra at
PGP Key:

More information about the bind-users mailing list