Les Mikesell wrote:
On Sat, 2006-03-25 at 14:57, John Hinton wrote:
Seems that bind by default allows recursion and it's not a good idea.
It's a good idea if you expect it to resolve addresses for you. It may not be a good idea for the registered public servers where you expect outside queries for your domains only.
I'm struggling a bit on a couple of systems. These two systems run sendmail and are nameservers. I have sendmail set to do domain lookups and bounce if the domain does not exist.
My struggle has been to turn recursion off in bind while allowing sendmail to do these lookups. I've been trying to do this by setting up allow-recursion in the options section of named.conf. Using something like
allow-recursion {192.1.1.0/24; 192.34.2.6; };
The IPs have been changed to protect the innocent......
Bind is happy with the entry.. sendmail is not and starts bouncing email.
Does anybody have this working and have any hints? I've googled and tested for hours....
If you insist on having recursion off on the public servers configured as primary and secondaries for your domains (and it doesn't make sense elsewhere), the easy fix is to run other DNS servers configured normally to do your own lookups and use the /etc/resolv.conf entries on your sendmail servers to use them - as you'll need to do for everything else that wants a DNS server. Your own lookups are controlled entirely by the resolv.conf entries and can be on other machines whether or not you run an instance of named on the local machine.
At the suggestion of some notes on DNSReport.com, I tried turning recursion off and when I did, it broke sendmail. All of my upstream DNS' have recursion turned on, and from what I gather about the mess there is a chance of dns poisoning with recursion on.
Sam