Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Restricting Recursive Lookups with BIND 8/9

/ October 3, 2016 — Name Resolution and DNS

When you allow recursive lookups, you open yourself up to various security risks and performance issues, so you should only allow recursion when needed. Recursive lookups are lookups for domains you are not authoritative for. That is, if you are authoritative for mycompany.com, and you don’t allow recursion, then if somebody queries your server for anotherdomain.com, they will just get a host not found error. To turn off recursion alltogether, use this option in named.conf:

options {
directory "/var/named";
recursion no;
};

We left in the directory option, which you probably have set the same, anyway. Now, say you want to allow recursion for certain hosts. You could do this:

acl recurseallow { 6.4.2.4; 2.4.2.1; 1.2.1.2; };
options {
directory "/var/named";
allow-recursion { recurseallow; };
};

This would only allow hosts with source IP addresses of 6.4.2.4, 2.4.2.1, or 1.2.1.2 query about domains the server is not authoritative for. You can also specify entire subnets using / notation. For further information, check out our Name Resolution section.

Information

About