How could one disable bind9's recursion and do forwarding only for DNS queries?
There's an excellent discussion of this at https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04.
What you're doing is basically correct, except that you need set "recursion yes" even if your DNS setup requires your server to be a forwarding-only server. This may seem counter-intuitive, but it's the way the prescription goes. Here's a sample config:
acl goodclients {
192.0.2.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Related videos on Youtube
Bulat M.
Updated on September 18, 2022Comments
-
Bulat M. over 1 year
I am learning how to configure DNS server. My first task is to set up local forwarding server - server that does NOT do recursive queries but forwards them to other public open DNS.
OK, here is my /etc/bind/named.conf.options
options { directory "/var/cache/bind"; recursion no; allow-query { localhost; }; forwarders { 8.8.8.8; 8.8.4.4; }; forward only; dnssec-enable yes; dnssec-validation yes; auth-nxdomain no; # conform to RFC1035 listen-on port 53 { 127.0.0.1; 192.168.1.33; }; listen-on-v6 { any; }; };
But when I issue
dig askubuntu.com
it returns:
... ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57563 ... ;; WARNING: recursion requested but not available ... ;; SERVER: 127.0.0.1#53(127.0.0.1) ...
As I understand, dig should should make DNS query to local bind instance and it should forward that request to 8.8.8.8 and return answer.
However it complains, that recursion is not available. But I did not requsted it.
How could one solve this problem? Thanks.
-
Terrance over 7 yearsI think your second forwarder should be 8.8.4.4
-
-
Bulat M. over 7 yearsAnd what is the purpose of setting "recursion no"? In what cases one should use this option?
-
fkraiem over 7 years@BulatM. This option makes your server refuse to answer any query regarding a domain it is not in charge of, which is exactly what your server is doing.
-
Bulat M. over 7 yearsYou mean, it is used, when configuring authoritative-only server? That shares info only about its zones?
-
Bulat M. over 7 years@fkraiem, oh forget to put "@username" when replying..
-
fkraiem over 7 years@BulatM. Basicaly yes, its detailed description is here.