secondary not returning external addresses or returning root servers

Fri Feb 10 22:24:10 UTC 2006

rsesnaski at yahoo.com wrote:

>Just a quick note in case someone picks up the this problem via a
>google.
>I just tracked down a problem where my secondary was returning data
>on the local domain but not any external addresses. From a windows box
>it returned a list of the root servers.
>
>I tracked it down to a "recursion no;" statement which now makes senses
>but there are a few docs out there that list an example secondary with
>"recursion no;" in the example. Not fully sure of the implications as I
>still need to read more but commenting that out allowed external
>look ups.
>
The prevailing recommendation is to segregate your *resolving* service 
(which is used by your own clients and for which recursion is necessary 
and turned on) from your *hosting* service (used by Internet clients, 
for which recursion is unnecessary and turned off). If you allow 
arbitrary Internet clients to recurse, then you can find they are 
"lunching" off you, DoS'ing you, trying to poison your cache, etc., but 
yet you need to allow those same Internet clients to resolve the domains 
you host, hence the segregation. You can implement this segregation with 
separate boxes, separate instances on the same box, listening to 
different interfaces, or by separate views (which are typically 
configured to differentiate by the source of the client) within the same 
instance.

If you really *must* use the same instance, without views, for both 
hosting and resolving, then at least you can use "allow-recursion" to 
provide some fine-grained control over who can recurse and who can't, 
and/or "allow-query" in a default/selective-override mode, which more 
forcefully determines who can query what, including stuff that doesn't 
require recursion, like cached answers, information which miscreants 
could otherwise use to track your users' surfing habits or whatnot.

                                             - Kevin