doubt about bind dns

I have a linux machine with a little dns server (I'm using bind9 for this).

I have 2 PCs who are using this linux machine as its dns server. Both PCs solves well DNS queries on the zone where my linux machine is authoritative, however, when making some other DNS queries (for example solving "google.com" name) it only seems to work if I configure the server with recursion=yes. If recursion=no then only local names are solved.

Why?
LVL 15
gplanaAsked:
Who is Participating?
 
Zephyr ICTCloud ArchitectCommented:
The thing is, when a DNS server which is a forwarding DNS server,  cannot resolve a query locally (or even using its forwarders) it will then try to resolve the query using the standard recursion, true...

But you can also configure the DNS server to not do recursion after the forwarders fail to resolve. Configured like this the server will not try any further recursive queries but will instead fail the query. So if all forwarders fail to resolve it will not do recursion... To configure it like this you will need to work with ACL and/or permit lists if I'm not mistaking...
0
 
Zephyr ICTCloud ArchitectCommented:
If you enable recursion you allow your Bind DNS server to query other DNS servers on behalf of your client requesting to solve a name ... So it's working as configured.

If you don't want that behaviour, which might be a security risk (DNS amplification attack).

Maybe you want to use a forwarding DNS server?
0
 
gplanaAuthor Commented:
The coursious thing is that I have the forwarding {} configured with the IP of my ISP, so shouldn't it work when I ask for a name that is not on my DNS server, no matter the value of recursion parameter?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Zephyr ICTCloud ArchitectCommented:
recursion should be on when using a forwarding server, make sure it's configured correctly though.
0
 
gplanaAuthor Commented:
Yes, this is what my tests indicates, but why?
0
 
Zephyr ICTCloud ArchitectCommented:
I'm not sure what is unclear? Why what? Why recursion needs to be on when using forwarding DNS?

The recursion is needed because the Bind server needs to answer queries for zones it is not authoritative for, to do this it will use the servers you configured under forwarders.
0
 
gplanaAuthor Commented:
Sorry, but I don't fully understand. Doesn't recursions stands for the way (iterative or recursive) the DNS queries are made along DNS servers?

I mean, for me the difference is: if I configure recursion = yes, then the bind will ask the forwarding DNS, and this forwarding DNS is the one who will call recursively to other DNSs until it gets an answer.
If I configure recursion = no then the bind will ask the forwarding DNS. If it is not the authoritative server, then he will ask with the address of its parent. Then my server will ask the parent, and so on until it reach the authoritative server.

Isn't this how it works?

I have looked at bind9 documentation and I dont found anywhere that there is an incompatibility between forwarders parameter and recursion=no. Do you have a link where this is explained?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.