We help IT Professionals succeed at work.

doubt about bind dns

gplana asked
I have a linux machine with a little dns server (I'm using bind9 for this).

I have 2 PCs who are using this linux machine as its dns server. Both PCs solves well DNS queries on the zone where my linux machine is authoritative, however, when making some other DNS queries (for example solving "google.com" name) it only seems to work if I configure the server with recursion=yes. If recursion=no then only local names are solved.

Watch Question

Zephyr ICTCloud Architect

If you enable recursion you allow your Bind DNS server to query other DNS servers on behalf of your client requesting to solve a name ... So it's working as configured.

If you don't want that behaviour, which might be a security risk (DNS amplification attack).

Maybe you want to use a forwarding DNS server?
The coursious thing is that I have the forwarding {} configured with the IP of my ISP, so shouldn't it work when I ask for a name that is not on my DNS server, no matter the value of recursion parameter?
Zephyr ICTCloud Architect

recursion should be on when using a forwarding server, make sure it's configured correctly though.
Yes, this is what my tests indicates, but why?
Zephyr ICTCloud Architect

I'm not sure what is unclear? Why what? Why recursion needs to be on when using forwarding DNS?

The recursion is needed because the Bind server needs to answer queries for zones it is not authoritative for, to do this it will use the servers you configured under forwarders.
Sorry, but I don't fully understand. Doesn't recursions stands for the way (iterative or recursive) the DNS queries are made along DNS servers?

I mean, for me the difference is: if I configure recursion = yes, then the bind will ask the forwarding DNS, and this forwarding DNS is the one who will call recursively to other DNSs until it gets an answer.
If I configure recursion = no then the bind will ask the forwarding DNS. If it is not the authoritative server, then he will ask with the address of its parent. Then my server will ask the parent, and so on until it reach the authoritative server.

Isn't this how it works?

I have looked at bind9 documentation and I dont found anywhere that there is an incompatibility between forwarders parameter and recursion=no. Do you have a link where this is explained?
Cloud Architect
The thing is, when a DNS server which is a forwarding DNS server,  cannot resolve a query locally (or even using its forwarders) it will then try to resolve the query using the standard recursion, true...

But you can also configure the DNS server to not do recursion after the forwarders fail to resolve. Configured like this the server will not try any further recursive queries but will instead fail the query. So if all forwarders fail to resolve it will not do recursion... To configure it like this you will need to work with ACL and/or permit lists if I'm not mistaking...