Turning off recusion

Kevin Darcy kcd at daimlerchrysler.com
Thu Oct 19 22:39:04 UTC 2006 

churchers at gmail.com wrote:
> We have 3 nameservers which are now authorative for about 1000 domain
> names and have,
> unfortunately, been historically used as general purpose resolvers.
>
> I would like to turn off recusion but if I do, they start reporting any
> domain name they don't run dns
> for as being non-existant.
>
> --
> pegasus# ping www.google.com
> ping: cannot resolve www.google.com: No address associated with name
> --
>
> Shouldn't they be referring the lookup to parent nameservers or am I
> missing something?
>
> I don't want to break the ability for the server itself to be able to
> resolve hosts. If this means
> leaving recusion on, then i'll have to leave it as it is.
>   
We get this question quite a lot. No-one should be turning off recursion 
unless they understand the ramifications. Recursion is *necessary* for 
your clients to be able to resolve things in zones you don't control, 
e.g. Internet names. Recursion is *unnecessary* for serving up zones to 
external/untrusted clients, and in fact it is recommended that recursion 
be disabled for such clients. So in order to follow that recommendation, 
you need to either
a) run the resolving part on separate hardware from the hosting part
b) run the respective functions within different instances on the same 
hardware (i.e. different instances of BIND configured with different, 
non-conflicting "listen-on" statements) listening on separate 
addresses/interfaces,
c) run separate "view"s (recursion-enabled versus recursion-disabled) 
within the same BIND instance
d) use some combination of allow-recursion/allow-query/allow-query-cache 
within the same instance and view, in order to allow your clients to 
recurse while at the same denying recursion to external/untrusted 
clients. Allow-query-cache is a recent addition to that list, existing 
so far only BIND 9.4, that, by controlling access to cached answers 
(which cannot be controlled by allow-recursion since no recursion is 
necessary to fetch them) relieves the administrator of the burden of 
defining a general allow-query which blocks all external clients, and 
then overriding that for each and every hosted zone.

                                                                         
                           - Kevin

More information about the bind-users mailing list