recursive queries?

[Kevin Darcy]

"Tom K." wrote:

> hi,
>
> i'm seeking advice how much i should open up the allow-recursion in the
> boot file of my dns. of course for for my whole ip-range. anything else?
> i'm asking this because i have quite a few of "denied recursion for query"
> entries in the logfile which are not from my ip-range.

This is probably because of external aliases. If you have a CNAME pointing to
a name in a zone you don't control, then when you get a query for that name,
named will internally "attempt" to fetch the data for the CNAME target, but
when it realizes that it would have to recurse to get the data, it logs it as
an unsuccessful recursion attempt.

Also, I think there are some broken/lazy resolvers out there which will
automatically send a query for the CNAME target to the same place they just
got the CNAME, regardless of whether it has any reason to believe the server
is authoritative for that data. This might be a misguided attempt at
optimization: I say "misguided" because if the responding server was
authoritative for the CNAME target, it probably would have returned it in the
original response (and the percentage of cases where this would push the
response over the 512-byte UDP limit is undoubtedly very low).


- Kevin