Turning off recusion
Kevin Darcy
kcd at daimlerchrysler.com
Thu Oct 19 22:39:04 UTC 2006
churchers at gmail.com wrote:
> We have 3 nameservers which are now authorative for about 1000 domain
> names and have,
> unfortunately, been historically used as general purpose resolvers.
>
> I would like to turn off recusion but if I do, they start reporting any
> domain name they don't run dns
> for as being non-existant.
>
> --
> pegasus# ping www.google.com
> ping: cannot resolve www.google.com: No address associated with name
> --
>
> Shouldn't they be referring the lookup to parent nameservers or am I
> missing something?
>
> I don't want to break the ability for the server itself to be able to
> resolve hosts. If this means
> leaving recusion on, then i'll have to leave it as it is.
>
We get this question quite a lot. No-one should be turning off recursion
unless they understand the ramifications. Recursion is *necessary* for
your clients to be able to resolve things in zones you don't control,
e.g. Internet names. Recursion is *unnecessary* for serving up zones to
external/untrusted clients, and in fact it is recommended that recursion
be disabled for such clients. So in order to follow that recommendation,
you need to either
a) run the resolving part on separate hardware from the hosting part
b) run the respective functions within different instances on the same
hardware (i.e. different instances of BIND configured with different,
non-conflicting "listen-on" statements) listening on separate
addresses/interfaces,
c) run separate "view"s (recursion-enabled versus recursion-disabled)
within the same BIND instance
d) use some combination of allow-recursion/allow-query/allow-query-cache
within the same instance and view, in order to allow your clients to
recurse while at the same denying recursion to external/untrusted
clients. Allow-query-cache is a recent addition to that list, existing
so far only BIND 9.4, that, by controlling access to cached answers
(which cannot be controlled by allow-recursion since no recursion is
necessary to fetch them) relieves the administrator of the burden of
defining a general allow-query which blocks all external clients, and
then overriding that for each and every hosted zone.
- Kevin
More information about the bind-users
mailing list