Turned recursion off and now lookups not working
Kevin Darcy
kcd at daimlerchrysler.com
Wed Oct 11 00:12:14 UTC 2006
wisptech at gmail.com wrote:
> I turned off recursive lookups in my bind server as recommended but now
> it will not resolve any domains (ie google.com) for clients. Any help
> appreciated. Below is my named.conf...
>
> options {
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> recursion no;
> };
>
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> zone "localhost" IN {
> type master;
> file "localhost.zone";
> allow-update { none; };
> };
>
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "named.local";
> allow-update { none; };
> };
>
> zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> IN {
> type master;
> file "named.ip6.local";
> allow-update { none; };
> };
>
> zone "255.in-addr.arpa" IN {
> type master;
> file "named.broadcast";
> allow-update { none; };
> };
>
> zone "0.in-addr.arpa" IN {
> type master;
> file "named.zero";
> allow-update { none; };
> };
>
> include "/etc/rndc.key";
>
>
> << Zone definitions after this point >>
It's only the *external* clients you don't want to recurse for. You still may need to recurse for your *internal* clients, unless they don't require resolvability of Internet names (e.g. if everything is behind application-level proxies), or, alternatively, you intend to host the whole Internet DNS namespace on your computer (biiiiiig box).
Options: run separate boxes for hosting versus recursion, separate BIND
instances on the same box, separate "view"s within the same instance, or
control queries and/or recursion via allow-query and/or allow-recursion.
Note that BIND 9.4.0 just came out with an "allow-query-cache" option,
which makes allow-recursion a little more palatable -- previously, since
answers from the cache do not require recursion, this data was available
to external clients regardless of the allow-recursion settings, which
was arguably "information leakage" that might not make one's security
administrators/auditors very happy.
There was recently a thread here on a very similar topic. See the posts
with the subject line "recursion question" at
http://marc.theaimsgroup.com/?l=bind-users&w=2&r=1&s=recursion+question&q=b
- Kevin
More information about the bind-users
mailing list