Turned recursion off and now lookups not working
Fran Loehmann
fran at ft.necoxmail.com
Wed Jan 31 17:52:32 UTC 2007
On Wed, 11 Oct 2006, Kevin Darcy wrote:
> Steve Ingraham wrote:
> > Kevin Darcey wrote:
> >
> >> It's only the *external* clients you don't want to recurse for. You
> >>
> > still >may need to recurse for your *internal* clients, unless they
> > don't require >resolvability of Internet names (e.g. if everything is
> > behind application->level proxies), or, alternatively, you intend to
> > host the whole Internet >DNS namespace on your computer (biiiiiig box).
> >
> >
> >> Options: run separate boxes for hosting versus recursion, separate BIND
> >>
> >
> >
> >> instances on the same box, separate "view"s within the same instance,
> >>
> > or
> >
> >> control queries and/or recursion via allow-query and/or
> >>
> > allow-recursion.
> >
> >> Note that BIND 9.4.0 just came out with an "allow-query-cache" option,
> >> which makes allow-recursion a little more palatable -- previously,
> >>
> > since
> >
> >> answers from the cache do not require recursion, this data was
> >>
> > available
> >
> >> to external clients regardless of the allow-recursion settings, which
> >> was arguably "information leakage" that might not make one's security
> >> administrators/auditors very happy.
> >>
> >
> >
> >> There was recently a thread here on a very similar topic. See the posts
> >>
> >
> >
> >> with the subject line "recursion question" at
> >> http://marc.theaimsgroup.com/?l=bind-users&w=2&r=1&s=recursion+question
> >>
> > &q=b
> >
> >
> > I am the person who originated that original question you are referring
> > to. I am still somewhat fuzzy on the recursion thing. I have set up
> > the named.conf file with the option line also:
> >
> > {
> > recursion no;
> > };
> >
> > I have not seen any problems with user access to the internet. I do
> > have an internal DNS server inside the firewall running Windows 2000 as
> > an internal DNS server. In my ignorance of much of the issues
> > associated with DNS I have concluded that this internal DNS is allowing
> > our client machines to resolve names. Is this a correct assumption on
> > my part?
> >
> Think of "recursion no" as an evil shrink ray that turns your mighty
> superhero resolver into a meek little non-recursive nameserver,
> basically little more than a specialized database server. Once
> diminished like that, it can *only* answer from its own authoritative
> data (i.e. data in zones that are defined as type master or type slave),
> and won't lift a finger to query other nameservers on a client's behalf.
> But, at least with its recursive capabilities wing-clipped, its
> query-answering powers can only be used for good :-)
>
> If a nameserver has "recursion no", therefore, I think reasonable to
> conclude that the internal stub resolvers (e.g. end-user clients)
> pointed to that nameserver, if any, don't actually need to resolve
> Internet names. Presumably this is because all of their interaction with
> the Internet is done through application-level proxies (e.g. web
> proxies, mail gateways, etc.), and it's the *proxies*, not the end-user
> clients, that are doing the Internet name resolution, using their own
> resources.
>
> As for resolving internal names, "recursion no" imposes the burdensome
> requirement that every internal zone needed by a given community of stub
> resolvers be defined as master or slave on the nameserver (or view)
> which serves those stub resolvers. This doesn't scale very well,
> especially if you have diverse business units which need to co-ordinate
> the setup and ongoing maintenance of multiple master/slave relationships
> between each other's servers. It can also be viewed as overkill to slave
> a zone for which queries are infrequent (how _much_ overkill depends on
> a variety of factors, e.g. REFRESH setting relative to the TTLs of the
> more-popular RRsets, frequency of changes to the zone, size of the zone,
> whether the master and slave both support IXFR, etc.). Regardless of
> those considerations, sometimes it's necessary to slave a zone, just to
> provide maximum redundancy/availability.
>
> Just because you slave a zone, of course, doesn't mean you attract query
> traffic for that zone from foreign resolvers. You can be a "stealth
> slave", which doesn't appear in the NS records of the zone.
>
> For the foregoing reasons, I only define "recursion no" on our primary
> master server for the internal DNS (which is only supposed to
> communicate to other DNS programs via non-recursive transactions,
> including zone transfers), and in one of the views of our
> Internet-facing boxes. Everything else has recursion enabled.
>
> - Kevin
>
>
--
Fran
More information about the bind-users
mailing list