[CentOS] Bind Recursion and Sendmail
Aleksandar Milivojevic
alex at milivojevic.org
Sun Mar 26 01:42:37 UTC 2006
Sam Drinkard wrote:
> At the suggestion of some notes on DNSReport.com, I tried turning
> recursion off and when I did, it broke sendmail. All of my upstream
> DNS' have recursion turned on, and from what I gather about the mess
> there is a chance of dns poisoning with recursion on.
You can turn recursion off only on name servers that will answer queries
from other name servers. You can not turn recursion off on name servers
that answer queries from clients.
The resolver library is not supposed to perform recursion itself.
That's the job of name server. That's why it broke your Sendmail. The
resolver libraries are usually too dumb to perform recursive lookups
them self, and might be even prevented to do so by firewalls. Also, it
would be waste of your network bandwidth since you'd loose effects of
caching that name servers are performing.
Said that, on name servers that are supposed to answer queries from
clients, you should be able to allow recursion only for specific
clients. If you have a valid reason to do so. That basically means
name server will not be particularly useful to clients not on the list.
This might be a good idea if you have only one name server, serving
both internal network and Internet (not such a good idea, IMO).
Question for OP, what's the content of /etc/resolv.conf? Do you have
"nameserver 127.0.0.1" inthere by any chance? That would explain why it
hasn't worked, since 127.0.0.1 was not on the list of hosts allowed to
do recursive lookups.
More information about the CentOS
mailing list