Bind doesn't look up past its own Domains

Kevin Darcy kcd at daimlerchrysler.com
Tue Mar 28 00:24:26 UTC 2006 

Sir Galahad wrote:

>Correct.
>
>
>// -------------------
>// OPTIONS
>// -------------------
>
>options {
>        directory "/var/named";
>        dump-file "/var/named/data/cache_dump.db";
>        statistics-file "/var/named/data/named_stats.txt";
>        query-source address * port 53;
>        recursion no;
>};
>
>Doesn't one want to have recursion set to NO to keep others from using your
>DNS server for lookups or should the restrictions be set elsewhere for that.
>In otherwords, I want the local network to use the nameservers for lookups,
>but I don't want the outside to.  Restrict by IP?
>
You could do that, via "allow-recursion". That gives a "friendly" 
response to queries outside of your hosted zones, a referral to the 
closest information in the hierarchy that your server knows about. 
Trouble is, it may give out *too*much* information for some of the more 
security-minded types -- if the answer to the query is in your cache, it 
will be returned, since no recursion is necessary to fetch it. Allowing 
arbitrary Internet clients to get query answers from your cache could 
theoretically allow them to do forensics on what sites your clients are 
visiting, etc. so it may be undesirable to give access to that data. 
Also, answering from cache may attract some "mooches" who think they can 
use you as a pseudo-resolver (you're likely to have the answer to 
popular queries in your cache at all times).

A more stark approach, to which Mark alluded indirectly, is to use a 
restrictive "allow-query" globally, with liberalized overrides for all 
of the zones you host. So if an external client queries outside of your 
hosted zones they get an unfriendly REFUSED response, instead of 
whatever cached data you might happen to have.

A more sophisticated approach would involve having separate views for 
internal and external clients, with recursion turned off in the external 
view. In that case, queries outside of hosted zones would return an 
"upwards referral" to the root zone. Since this is hardly more useful to 
resolvers than a REFUSED response, the views approach might be overkill 
if all you're trying to do is restrict access. There are other 
architectural reasons why you might want to implement such a 
view-separation though...

- Kevin

More information about the bind-users mailing list