turning off recursion - bind 8.2.5 REL
Len Conrad
LConrad at Go2France.com
Sun Dec 23 09:29:19 UTC 2001
At 13:12 2001-12-21 -0800, you wrote:
>I am confused on how recursion works and why it should be turned off for
>security reasons.
a recursive query expects an "answer", and Pee Cee type dumb resolvers
can't handle anything but an answer. recursion requires the queried DNS to
re-iterate the iterative queries from the roots down to to AUTH NS's, aka
"navigate the namespace" in order to get the "answer". recursive DNS do a
lot of work AND have their cache grow as AUTH answers are returned. so you
want to restrict recursive queries to trusted subnets. In (bind < 9), glue
fetching made the DNS vulnerable to cache poisoning (turn it off in BIND8
allow with minimized/no recursion, glue-fetching is not available in BIND9).
An interative query doesn't require an "answer" and the querying resolver
can handle a "best answer" aka "referral", which is then used to navigate
the namespace aka "follow delegations" iteratively in search of an "answer"
(records in the "answer" section of the DNS UDP packet).
Len
http://MenAndMice.com/DNS-training
http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways
More information about the bind-users
mailing list