Allowing recursion for just specific zones

Mon May 10 18:54:57 UTC 2010

Recursion is enabled/allowed at the view level, not the zone level.

One strategy would be to set up a view that matches recursive queries
only. Set allow-query to none at the view, then set it any (or
whatever) in each zone of type forward or stub.

Or if you want to use your root zone idea, make sure to populate it
with delegations to the domains that should resolve.

I'm not sure if the match-recursive statement existed in 9.2. You may
need to upgrade to something current.

Chris Buxton
BlueCat Networks

On 5/10/10, Brian Candler <B.Candler at pobox.com> wrote:
> Hello,
>
> I am trying to configure a bind9 view to allow recursion just for certain
> domains. (This is bind-9.2.4-16.EL4 under RHEL4).
>
> In fact, it doesn't even have to be real recursion, just forwarding to an
> upstream recursive nameserver.  The point is that the clients are only
> authorised to look up names under a handful of domains, and the rest should
> be denied.
>
> However, the various attempts I've tried have failed so far. As far as I can
> tell:
>
> 1. "recursion no" can only be set at the top (view) level, not overridden
>    at the zone level.
>
> 2. If I set "recursion no" at the view level, then a "type forward"
>    zone has no effect:
>
>   view "foo" {
>     recursion no;
>     ...
>     zone "example.com" {
>       type forward;
>       forward only;
>       forwarders {192.0.2.1;};
>     };
>
> -- query for foo.example.com returns only referral to root servers
>    (i.e. it is not forwarded)
>
> 3. If I make the view authoritative for the root zone, then a "type forward"
>    zone also has no effect:
>
>   view "foo" {
>     recursion yes;
>     ...
>     zone "." {
>       type master;
>       file "named.zero";   // just SOA
>       allow-update {none;};
>     };
>     zone "example.com" {
>       type forward;
>       forward only;
>       forwarders {192.0.2.1;};
>     };
>
> -- query for foo.example.com gives NXDOMAIN and the root SOA
>
> 4. Setting forwarders to an empty list at the top level doesn't prevent
> forwarding, it just falls back to normal recursive lookup instead.
>
>   view "foo" {
>     recursion yes;
>     forward only;
>     forwarders {};
>     ..
>     zone "example.com" {
>       type forward;
>       forward only;
>       forwarders {192.0.2.1;};
>     };
>
> -- queries for bar.example.com are forwarded as expected
> -- queries for baz.anythingelse.com are looked up recursively, which
>    is what I'm trying to prevent :-(
>
> 5. I don't have AXFR access to the upstream zones, so making the server
> a slave for these zones is not an option.
>
> At the moment the best I can do is to forward to a non-existent IP in the
> top level, which makes unauthorised queries time out - clearly not ideal.
>
> Anyone have any better suggestions?
>
> Many thanks,
>
> Brian.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 
Sent from my mobile device