[CentOS] Bind Recursion and Sendmail

Sam Drinkard sam at wa4phy.net
Sun Mar 26 00:42:37 UTC 2006


Les Mikesell wrote:

>On Sat, 2006-03-25 at 14:57, John Hinton wrote:
>  
>
>>Seems that bind by default allows recursion and it's not a good idea. 
>>    
>>
>
>It's a good idea if you expect it to resolve addresses for you.  It
>may not be a good idea for the registered public servers where
>you expect outside queries for your domains only.
>
>  
>
>>I'm struggling a bit on a couple of systems. These two systems run 
>>sendmail and are nameservers. I have sendmail set to do domain lookups 
>>and bounce if the domain does not exist.
>>
>>My struggle has been to turn recursion off in bind while allowing 
>>sendmail to do these lookups. I've been trying to do this by setting up 
>>allow-recursion in the options section of named.conf. Using something like
>>
>>allow-recursion {192.1.1.0/24; 192.34.2.6; };
>>
>>The IPs have been changed to protect the innocent......
>>
>>Bind is happy with the entry.. sendmail is not and starts bouncing email.
>>
>>Does anybody have this working and have any hints? I've googled and 
>>tested for hours....
>>    
>>
>
>If you insist on having recursion off on the public servers
>configured as primary and secondaries for your domains (and
>it doesn't make sense elsewhere), the easy fix is to run other
>DNS servers configured normally to do your own lookups and use
>the /etc/resolv.conf entries on your sendmail servers to use
>them - as you'll need to do for everything else that wants a
>DNS server.  Your own lookups are controlled entirely by the
>resolv.conf entries and can be on other machines whether or not
>you run an instance of named on the local machine.
>
>  
>
At the suggestion of some notes on DNSReport.com, I tried turning 
recursion off and when I did, it broke sendmail.  All of my upstream 
DNS' have recursion turned on, and from what I gather about the mess 
there is a chance of dns poisoning with recursion on. 

Sam



More information about the CentOS mailing list