named.conf setup for ISP

[Kevin Darcy]

You shouldn't turn off recursion *globally*, i.e. "recursion no", if
your server is being used by internal clients to resolve Internet names.
But you can turn off recursion *selectively* by address range. See
"allow-recursion" in the documentation. On my external nameservers, for
example, I only allow recursion for extranet clients (I have no
requirement for internal clients to be able to resolve Internet names).

Another option to consider is having separate machines for the two
different functions -- one of which has recursion turned off completely
and is only for answering external queries, and the other one allowing
recursion, for the benefit of your internal clients, but not even
answering external queries. The non-recursive server shouldn't need
nearly as much memory as the recursive one, since it won't be caching
anything.


- Kevin

jim wrote:

> Hi,
>
> I work for a small ISP. We have a DNS server running Bind 8.2.2 P5 on
> Windows NT 4.0. We host about 500 domain names for our customer.
> I would like to make our DNS server as secure as possible, but still
> need to provide necessary DNS service for our customers.
> I can use allow-transfer option to limit only allow certain clients'
> DNS slave server to do zone transfer.
> How about if we just want to allow only our customers query our DNS
> server but not outside users, can it be done? Is there a way to setup
> limitation on client query or server query?
> Because we are hosting some domain name here, so we still need to let
> other DNS server to query us, right?
> I heard, some people suggested that we should not allow "recursive
> query", is that possible? If we don't allow any "recursive query"
> (even our own customers), is it possible? How can our customer find
> information they need, if our DNS won't find it for them?
>
> Thanks!
>
> Jim