recursion

[Kevin Darcy]

Glenn Vidad wrote:

> is the log file the only place to look at to see if allow-recursion is
> working?

You can check the setting of the RA (Recursion Available) bit in the responses
coming from your nameserver. You'll have to use the "debug" setting of
nslookup, or a real troubleshooting tool like dig, to see the setting of that
bit.

You could also try querying something that you *know* isn't in your
nameserver's cache. Resource records that are in the nameserver's cache will be
answered regardless of whether recursion is in effect or not (since the
nameserver doesn't actually have to recurse to get the answer), so things that
are *not* in the nameserver's cache are a truer test of whether recursion
restrictions are working correctly or not. By the way, because of this "answer
from cache instead of recursing" quirk, many folks opt to completely segregate
their DNS infrastructure between recursive and non-recursive service.


- Kevin