[CentOS] Bind Recursion and Sendmail

Aleksandar Milivojevic alex at milivojevic.org
Sun Mar 26 01:42:37 UTC 2006

Sam Drinkard wrote:

> At the suggestion of some notes on DNSReport.com, I tried turning 
> recursion off and when I did, it broke sendmail.  All of my upstream 
> DNS' have recursion turned on, and from what I gather about the mess 
> there is a chance of dns poisoning with recursion on.

You can turn recursion off only on name servers that will answer queries 
from other name servers.  You can not turn recursion off on name servers 
that answer queries from clients.

The resolver library is not supposed to perform recursion itself. 
That's the job of name server.  That's why it broke your Sendmail.  The 
resolver libraries are usually too dumb to perform recursive lookups 
them self, and might be even prevented to do so by firewalls.  Also, it 
would be waste of your network bandwidth since you'd loose effects of 
caching that name servers are performing.

Said that, on name servers that are supposed to answer queries from 
clients, you should be able to allow recursion only for specific 
clients.  If you have a valid reason to do so.  That basically means 
name server will not be particularly useful to clients not on the list. 
  This might be a good idea if you have only one name server, serving 
both internal network and Internet (not such a good idea, IMO).

Question for OP, what's the content of /etc/resolv.conf?  Do you have 
"nameserver" inthere by any chance?  That would explain why it 
hasn't worked, since was not on the list of hosts allowed to 
do recursive lookups.

More information about the CentOS mailing list