Link to home
Start Free TrialLog in
Avatar of gplana
gplanaFlag for Spain

asked on

doubt about bind dns

I have a linux machine with a little dns server (I'm using bind9 for this).

I have 2 PCs who are using this linux machine as its dns server. Both PCs solves well DNS queries on the zone where my linux machine is authoritative, however, when making some other DNS queries (for example solving "google.com" name) it only seems to work if I configure the server with recursion=yes. If recursion=no then only local names are solved.

Why?
Avatar of Zephyr ICT
Zephyr ICT
Flag of Belgium image

If you enable recursion you allow your Bind DNS server to query other DNS servers on behalf of your client requesting to solve a name ... So it's working as configured.

If you don't want that behaviour, which might be a security risk (DNS amplification attack).

Maybe you want to use a forwarding DNS server?
Avatar of gplana

ASKER

The coursious thing is that I have the forwarding {} configured with the IP of my ISP, so shouldn't it work when I ask for a name that is not on my DNS server, no matter the value of recursion parameter?
recursion should be on when using a forwarding server, make sure it's configured correctly though.
Avatar of gplana

ASKER

Yes, this is what my tests indicates, but why?
I'm not sure what is unclear? Why what? Why recursion needs to be on when using forwarding DNS?

The recursion is needed because the Bind server needs to answer queries for zones it is not authoritative for, to do this it will use the servers you configured under forwarders.
Avatar of gplana

ASKER

Sorry, but I don't fully understand. Doesn't recursions stands for the way (iterative or recursive) the DNS queries are made along DNS servers?

I mean, for me the difference is: if I configure recursion = yes, then the bind will ask the forwarding DNS, and this forwarding DNS is the one who will call recursively to other DNSs until it gets an answer.
If I configure recursion = no then the bind will ask the forwarding DNS. If it is not the authoritative server, then he will ask with the address of its parent. Then my server will ask the parent, and so on until it reach the authoritative server.

Isn't this how it works?

I have looked at bind9 documentation and I dont found anywhere that there is an incompatibility between forwarders parameter and recursion=no. Do you have a link where this is explained?
ASKER CERTIFIED SOLUTION
Avatar of Zephyr ICT
Zephyr ICT
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial