Configuring Bind Non Recursive
When configuring the bind DNS name server, it's almost always beneficial to restrict who can perform recursive queries.
A recursive query occurs when your DNS server is queried for a domain that it currently knows nothing about, in which case it will try to resolve the given host by performing further queries (e.g. by starting at the root servers and working out, or by simply passing the request to yet another DNS server).
When this happens for arbitrary queries on the Internet, your DNS server is open to anybody, so they can cost you bandwidth for their DNS queries.
However, there are situations that call for recursive queries being answered. For example, if you have one DNS server serving your local network, you may want all of your local computers to use your DNS server.
The solution is to add a line to the 'options' of your bind configuration. For example: -
This would allow hosts localhost, 192.168.2.1, and the network 192.168.1.0/24 to use this DNS server for recursive lookups (e.g. as a general name server). For everyone else, the server will only answer queries for what's in the local zone files and in the cache.
On Debian, this is placed in '/etc/bind/named.conf.options', other servers may be configured in '/etc/bind/named.conf'
A recursive query occurs when your DNS server is queried for a domain that it currently knows nothing about, in which case it will try to resolve the given host by performing further queries (e.g. by starting at the root servers and working out, or by simply passing the request to yet another DNS server).
When this happens for arbitrary queries on the Internet, your DNS server is open to anybody, so they can cost you bandwidth for their DNS queries.
However, there are situations that call for recursive queries being answered. For example, if you have one DNS server serving your local network, you may want all of your local computers to use your DNS server.
The solution is to add a line to the 'options' of your bind configuration. For example: -
options {
allow-recursion { 127.0.0.1; 192.168.1.0/24; 192.168.2.1; };
};
This would allow hosts localhost, 192.168.2.1, and the network 192.168.1.0/24 to use this DNS server for recursive lookups (e.g. as a general name server). For everyone else, the server will only answer queries for what's in the local zone files and in the cache.
On Debian, this is placed in '/etc/bind/named.conf.options', other servers may be configured in '/etc/bind/named.conf'
No comments:
Post a Comment