Turned recursion off and now lookups not working
Steve Ingraham
singraham at okcca.net
Wed Oct 11 13:27:57 UTC 2006
Kevin Darcey wrote:
>It's only the *external* clients you don't want to recurse for. You
still >may need to recurse for your *internal* clients, unless they
don't require >resolvability of Internet names (e.g. if everything is
behind application->level proxies), or, alternatively, you intend to
host the whole Internet >DNS namespace on your computer (biiiiiig box).
>Options: run separate boxes for hosting versus recursion, separate BIND
>instances on the same box, separate "view"s within the same instance,
or
>control queries and/or recursion via allow-query and/or
allow-recursion.
>Note that BIND 9.4.0 just came out with an "allow-query-cache" option,
>which makes allow-recursion a little more palatable -- previously,
since
>answers from the cache do not require recursion, this data was
available
>to external clients regardless of the allow-recursion settings, which
>was arguably "information leakage" that might not make one's security
>administrators/auditors very happy.
>There was recently a thread here on a very similar topic. See the posts
>with the subject line "recursion question" at
>http://marc.theaimsgroup.com/?l=bind-users&w=2&r=1&s=recursion+question
&q=b
I am the person who originated that original question you are referring
to. I am still somewhat fuzzy on the recursion thing. I have set up
the named.conf file with the option line also:
{
recursion no;
};
I have not seen any problems with user access to the internet. I do
have an internal DNS server inside the firewall running Windows 2000 as
an internal DNS server. In my ignorance of much of the issues
associated with DNS I have concluded that this internal DNS is allowing
our client machines to resolve names. Is this a correct assumption on
my part?
Steve
More information about the bind-users
mailing list