[CentOS] Bind Recursion and Sendmail

Sat Mar 25 21:16:02 UTC 2006
Les Mikesell <lesmikesell at gmail.com>

On Sat, 2006-03-25 at 14:57, John Hinton wrote:
> Seems that bind by default allows recursion and it's not a good idea. 

It's a good idea if you expect it to resolve addresses for you.  It
may not be a good idea for the registered public servers where
you expect outside queries for your domains only.

> I'm struggling a bit on a couple of systems. These two systems run 
> sendmail and are nameservers. I have sendmail set to do domain lookups 
> and bounce if the domain does not exist.
> 
> My struggle has been to turn recursion off in bind while allowing 
> sendmail to do these lookups. I've been trying to do this by setting up 
> allow-recursion in the options section of named.conf. Using something like
> 
> allow-recursion {192.1.1.0/24; 192.34.2.6; };
> 
> The IPs have been changed to protect the innocent......
> 
> Bind is happy with the entry.. sendmail is not and starts bouncing email.
> 
> Does anybody have this working and have any hints? I've googled and 
> tested for hours....

If you insist on having recursion off on the public servers
configured as primary and secondaries for your domains (and
it doesn't make sense elsewhere), the easy fix is to run other
DNS servers configured normally to do your own lookups and use
the /etc/resolv.conf entries on your sendmail servers to use
them - as you'll need to do for everything else that wants a
DNS server.  Your own lookups are controlled entirely by the
resolv.conf entries and can be on other machines whether or not
you run an instance of named on the local machine.

-- 
  Les Mikesell
   lesmikesell at gmail.com