BIND slow to start without localhost name resolution
Mark Andrews
Mark_Andrews at isc.org
Thu Mar 27 22:03:11 UTC 2008
> I have a CentOS3 server running BIND 9.4.2 acting as an authorities name
> server for a domain. It was also performing recursive lookups for other
> machines in the same subnet, but this is no longer desirable as I was
> informed that external machines can still use its name cache even if
> they're not on the allow-recursion ACL (they just can't initiate new
> name lookups) so long as recursive lookups are allowed for more machines
> than none, and as this machine is not exactly a resource beast I would
> rather disable recursive lookups.
I suspect you are misinformed. Allow-query-cache and
allow-recursion cross inherit from each other.
If you have a older version of named you can still achieve
the desired behaviour by setting allow-query at the
options/view level to the value of the allow-recursion acl
and then set allow-query acl to "any;" in all of the zones.
Allow-query-cache was introduced in BIND 9.4 to make this
easier.
So either you are not running the version you say you are
or you have also set allow-query-cache to allow non-recursors
to access the cache.
Mark
> Problem is, once all this is done I then remove 0.0.0.0 from the
> resolv.conf file and now when the BIND daemon starts rather than being
> almost instant it can sit from 5-15 minutes before firing up.
>
> Should I be settings allow-recursion { none; }; and then leaving 0.0.0.0
> in the resolv.conf file? If so, why does BIND require this for a speedy
> start-up? As the machine never needs to resolve names within its own
> domain, I'd like it to bypass itself.
>
> Paul Cocker
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list