Turning off recusion
Dixon, Justin
Justin.Dixon at BBandT.com
Thu Oct 19 18:35:26 UTC 2006
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of
> churchers at gmail.com
> Sent: Thursday, October 19, 2006 12:16
> To: comp-protocols-dns-bind at isc.org
> Subject: Turning off recusion
>
> We have 3 nameservers which are now authorative for about 1000 domain
> names and have,
> unfortunately, been historically used as general purpose resolvers.
>
> I would like to turn off recusion but if I do, they start reporting
any
> domain name they don't run dns
> for as being non-existant.
>
> --
> pegasus# ping www.google.com
> ping: cannot resolve www.google.com: No address associated with name
> --
>
> Shouldn't they be referring the lookup to parent nameservers or am I
> missing something?
>
> I don't want to break the ability for the server itself to be able to
> resolve hosts. If this means
> leaving recusion on, then i'll have to leave it as it is.
>
>
You will have to leave recursion enabled or implement views that only
allow certain hosts/networks to use recursion if you want to continue to
resolve domains that you are not authoritative for.
Views or separate servers for recursing clients would be my suggestion
so you are less vulnerable to a cache poisioning attack.
More information about the bind-users
mailing list