Disable BIND recursion while keeping local queries resolvable

For security and efficiency reasons, a hosting system DNS server should not answer recursive queries (solve DNS requests for domains it is not authoritative for).

However, the DNS server needs to accept recursive queries for the services hosted on the same system for these services to work correctly and be able to resolve forward and reverse hosts/IPs.

This dual-function setup is relatively easy to implement by adding the necessary parameters to named’s main configuration:

options {
     [...]
     allow-recursion { "trusted"; };
     allow-query { any; };
};
acl "trusted" {
     1.2.3.4/32;
     localhost;
     localnets;
};

The allow-recursion and allow-query settings are added directly to the main options { } directive, while the newly defined "trusted" a(ccess) c(ontrol) l(ist) is defined separately in its own block. Replace 1.2.3.4/32 with the CIDR representation for the host(s) that should have access to recursion.

Use services like Open Resolver to check if you’ve correctly limited recursion and IntoDNS to check that your authoritative zones still work.

Leave a Reply