<div dir="ltr"><div>Hi Kazik.</div><div>What's your definition of "secure' in this case?</div><div>A lot of people use forward zones and/or global forwarding on recursive servers.</div><div><br></div><div>Cheers, Greg</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Tue, 7 Oct 2025 at 13:51, kzkz--- via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span dir="ltr" lang="pl"><span><div><div><div><span lang="en"><span><span>Good morning,
</span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>
</span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>I'd like to forward DNS requests in the public (internet) view for a subdomain that is hosted on a different DNS server. </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>Forwarding isn't supported when the settting 'recursion no' is used.</span></span> </span><br></div><div style="font-size:16px"><span lang="en"><span><span>Therefore, changing the setting to 'recursion yes' makes it possible.</span></span><span><span> </span></span></span><br></div><div style="font-size:16px"><br></div><div style="font-size:16px"><span lang="en"><span><span># (1) existing configuration
</span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>view "public" {
</span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    allow-query { any;</span></span> <span><span>}; </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    match-clients { any;</span></span> <span><span>}; </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    allow-recursion { none;</span></span> <span><span>};  </span></span></span><br></div><div style="font-size:16px">  <span lang="en"><span><span>  recursion no;</span></span><span><span> </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>....

</span></span></span><br></div><div style="font-size:16px"><br></div><div style="font-size:16px"><span lang="en"><span><span># (2) new configuration
</span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>view "public" {
</span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    allow-query { any;</span></span> <span><span>}; </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    match-clients { any;</span></span> <span><span>}; </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    allow-recursion { none;</span></span> <span><span>};</span></span><span><span> </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    recursion yes;<span> </span></span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span><span>....
</span></span></span></span><br></div><div style="font-size:16px"><br></div><div style="font-size:16px"><span lang="en"><span><span><span>
In configuration #(2) forward would be configured as follows:
</span></span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span><span>zone "<a href="http://other.example.com" target="_blank">other.example.com</a>" {
</span></span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span><span>    type forward;</span> </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    forward only; </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>    forwarders { 10.10.10.10.10;</span></span> <span><span>10.10.10.20;</span></span> <span><span>}; </span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>};</span></span><span><span> </span></span></span><br></div><div style="font-size:16px"><br></div><div style="font-size:16px">Bind is  ver. bind-9.16.23</div><div style="font-size:16px"><br></div><div style="font-size:16px"><span lang="en"><span><span>Will configuration #(2) be secure?</span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>Is there any risk of security violations compared to configuration #(1)? </span></span></span><br></div><div style="font-size:16px"><br></div><div style="font-size:16px"><span lang="en"><span><span>Thanks,
</span></span></span><br></div><div style="font-size:16px"><span lang="en"><span><span>Kazik</span></span></span><br></div></div></div></span></span><div style="font-size:16px"><br></div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list.<br>
</blockquote></div>