Avatar of gplana
Flag for Spain asked on

doubt about bind dns

I have a linux machine with a little dns server (I'm using bind9 for this).

I have 2 PCs who are using this linux machine as its dns server. Both PCs solves well DNS queries on the zone where my linux machine is authoritative, however, when making some other DNS queries (for example solving "google.com" name) it only seems to work if I configure the server with recursion=yes. If recursion=no then only local names are solved.

Linux NetworkingDNS

Avatar of undefined
Last Comment
Zephyr ICT

8/22/2022 - Mon
Zephyr ICT

If you enable recursion you allow your Bind DNS server to query other DNS servers on behalf of your client requesting to solve a name ... So it's working as configured.

If you don't want that behaviour, which might be a security risk (DNS amplification attack).

Maybe you want to use a forwarding DNS server?

The coursious thing is that I have the forwarding {} configured with the IP of my ISP, so shouldn't it work when I ask for a name that is not on my DNS server, no matter the value of recursion parameter?
Zephyr ICT

recursion should be on when using a forwarding server, make sure it's configured correctly though.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Yes, this is what my tests indicates, but why?
Zephyr ICT

I'm not sure what is unclear? Why what? Why recursion needs to be on when using forwarding DNS?

The recursion is needed because the Bind server needs to answer queries for zones it is not authoritative for, to do this it will use the servers you configured under forwarders.

Sorry, but I don't fully understand. Doesn't recursions stands for the way (iterative or recursive) the DNS queries are made along DNS servers?

I mean, for me the difference is: if I configure recursion = yes, then the bind will ask the forwarding DNS, and this forwarding DNS is the one who will call recursively to other DNSs until it gets an answer.
If I configure recursion = no then the bind will ask the forwarding DNS. If it is not the authoritative server, then he will ask with the address of its parent. Then my server will ask the parent, and so on until it reach the authoritative server.

Isn't this how it works?

I have looked at bind9 documentation and I dont found anywhere that there is an incompatibility between forwarders parameter and recursion=no. Do you have a link where this is explained?
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Zephyr ICT

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.