Recursion Off
Kevin Darcy
kcd at daimlerchrysler.com
Wed Nov 24 21:57:58 UTC 2004
David wrote:
>Currently our DNS allows recursive queries from all users. We would
>like to tighten up our security and limit the public use of our DNS.
>
>Our current DNS uses views to allow "internal" users access to our
>machines and those on the Internet and to resolve "external" queries
>from the public to our machines.
>
>By turning off recursion in our "external" view, will this completely
>restrict "external" users from abusing our DNS with queries that we
>are not the authoritative source for? Does the cache need to be
>cleared and disabled? What will our DNS response be when a recursive
>query is made for which we are not the authoritative source?
>
Decling recursion for a particular client means just that: that the
nameserver (resolver, actually) won't perform recursion for that client.
In and of itself, however, it doesn't prevent named from responding with
data for which it doesn't need to recurse, i.e. data from authoritative
zones, or data from the cache. To prevent access to the cached data, you
either need to:
a) set allow-query restrictions, e.g. a global restriction that only
allows your internal clients to query, overridden by allow-query { any;
}; for each authoritative zone you serve, (note that allow-query will
cause a REFUSED response to be returned for declined queries, rather
than the "upward referral" you specified in your message), or
b) you need to separate your authoritative nameserving function from
your recursive-resolver function. You can achieve this separation by
running those on separate nameserver instances, or if you don't have
enough nameserver instances to accomplish that, with separate "view"s on
the same nameserver instance(s). See the BIND 9 documentation for
information on "view"s.
- Kevin
More information about the bind-users
mailing list