How could one disable bind9's recursion and do forwarding only for DNS queries?

networking server dns bind

5,645

There's an excellent discussion of this at https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04.

What you're doing is basically correct, except that you need set "recursion yes" even if your DNS setup requires your server to be a forwarding-only server. This may seem counter-intuitive, but it's the way the prescription goes. Here's a sample config:

acl goodclients {
        192.0.2.0/24;
        localhost;
        localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { goodclients; };

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
        forward only;

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

5,645

Bulat M.

Updated on September 18, 2022

Comments

Bulat M. over 1 year
I am learning how to configure DNS server. My first task is to set up local forwarding server - server that does NOT do recursive queries but forwards them to other public open DNS.

OK, here is my /etc/bind/named.conf.options
```
options {
    directory "/var/cache/bind";

    recursion no;
    allow-query { localhost; };

    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    forward only;

    dnssec-enable yes;
    dnssec-validation yes;

    auth-nxdomain no;    # conform to RFC1035
    listen-on port 53 {
        127.0.0.1;
        192.168.1.33;
    };
    listen-on-v6 { any; };
};
```
But when I issue
```
dig askubuntu.com
```
it returns:
```
...
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57563
...
;; WARNING: recursion requested but not available
...
;; SERVER: 127.0.0.1#53(127.0.0.1)
...
```
As I understand, dig should should make DNS query to local bind instance and it should forward that request to 8.8.8.8 and return answer.

However it complains, that recursion is not available. But I did not requsted it.

How could one solve this problem? Thanks.
- Terrance over 7 years
  
  I think your second forwarder should be 8.8.4.4
Bulat M. over 7 years

And what is the purpose of setting "recursion no"? In what cases one should use this option?
fkraiem over 7 years

@BulatM. This option makes your server refuse to answer any query regarding a domain it is not in charge of, which is exactly what your server is doing.
Bulat M. over 7 years

You mean, it is used, when configuring authoritative-only server? That shares info only about its zones?
Bulat M. over 7 years

@fkraiem, oh forget to put "@username" when replying..
fkraiem over 7 years

@BulatM. Basicaly yes, its detailed description is here.