Recursion question
Kevin Darcy
kcd at daimlerchrysler.com
Fri Oct 6 20:46:37 UTC 2006
Steve Ingraham wrote:
> I have a question concerning my name servers. In doing a check of my
> DNS configuration I ran a DNS report from www.dnsreport.com
> <http://www.dnsreport.com/> .
>
>
> One of the failures the report noted on our NS records is that our
> domain failed the open DNS server test. Is this a critical issue I
> should resolve? What problems should I be aware of with this issue?
>
>
>
> I have read where I should set:
>
>
>
> Options {
>
> recursion=no;
>
That should be "recursion no". No equals-sign.
> };
>
>
>
> in the named.conf file. Is that all I need to do to correct this
> problem?
>
Perhaps you should ask the dnsreport.com folks that question.
Note that if you set "recursion no", your clients won't be able to use
that instance (or that view) for resolving Internet names any more.
They'd need to use some other instance or some other view.
You can get more fine-grained behavior by using allow-recursion instead
of "recursion no". You could, for instance, allow your own clients to
recurse, but not anyone else's. The downside of this is that data in
your cache would still be available to external clients, since no
recursion is necessary to answer with data from cache. To tighten things
up further, then, it was necessary in the past to nail things down via
allow-query rather than allow-recursion, so that only your clients can
query anything outside of your own authoritative zones. This was rather
cumbersome, though, since it required an explicit "allow-query" on every
authoritative-zone definition, so as of 9.4, ISC implemented the
following feature:
New option "allow-query-cache". This lets allow-query be
used to specify the default zone access level rather than
having to have every zone override the global value.
allow-query-cache can be set at both the options and view
levels. If allow-query-cache is not set allow-query applies.
I haven't played with that yet though.
> Two other failures have me concerned. One states I have a "Missing
> Stealth Server". Another states that there is a "Stealth NS record
> leakage". Can someone explain what these two failures are about and
> what I need to do to correct them?
>
I'm not sure what they're getting at either -- how would they even know
about "stealth" servers, and why would they care? Perhaps you should ask
them for clarifications.
- Kevin
More information about the bind-users
mailing list