Ubuntu – How to Disable External DNS recursion

binddns

I know that to disable recursive queries in BIND, I need add the following lines to the options section of /etc/bind/named.conf.options

allow-transfer {"none";};
allow-recursion {"none";};
recursion no;

Will the above configuration disable all DNS recursive queries?

How can I disable DNS recursion only to external network queries and keep recursion only for Internal network?

If I disable the recursion, then what process will be performed by the BIND resolve the name request? Iterative or Inverse?

Best Answer

  • You can enable recursion for some clients and disable recursion for others using views, but it is not recommended because you will lose some of the advantages of turning off recursion in the first place. You should use different nameservers for recursive resolution and authoritative service. (The two servers could run on the same machine if necessary.) Still, here's how to do it:

    // global options apply to external clients
    options {
        recursion no;
        additional-from-auth no;
        additional-from-cache no;
    };
    
    view "local" in {
        // view options enable recursion only for local clients
        match-clients { 172.16.45.80/23; 192.168.12.0/24; 127.0.0.1/8; ::1; };
        recursion yes;
        additional-from-auth yes;
        additional-from-cache yes;
    
        zone "." in {
                type hint;
                file "/etc/bind/db.root";
        };
    
        // put definitions for zones like "localhost" and "127.in-addr.arpa" here
    }
    
    // put definitions for real authoritative zones here.
    

    As for the question in your last sentence, "what process will be performed by the BIND resolve the name request? Iterative or Inverse?", I do not understand the question. A nameserver configured not to offer recursive service will simply refuse to answer recursive queries.

  • Related Question