advertisement

Article:
  Implementing BIND on Mac OS X
Subject:   Author's Note on Recursion and Security
Date:   2003-04-16 13:54:35
From:   jldera
An anonymous poster brought up an excellent point about securing the recursion feature of named. For those of you who aren't as familiar with the DNS, here's a brief explanation of how DNS queries work and what recursion does.


Your client computer has the bare necessities for DNS resolution. It basically knows how to ask a DNS server for information. It doesn't know about root servers or how the DNS space really works. It just knows that it has to ask ns1.myisp.com to resolve www.yahoo.com. When your client machine sends a request to your ISP's DNS server, it is done using what is known as a recursive query.


A recursive query puts the complete task of name resolution upon the queried server. Because your client computer doesn't know enough about how DNS is setup, it uses a recursive query to ask your ISP's name server. Your ISP's name server will then search its cache for the data. If it's not found, it will attempt to query the root servers. The root servers will then tell your ISP's name server where the name servers for the com top level domain are. Your ISP's name server will then query the com servers for where yahoo's name servers are. Finally, your ISP's name server will query the yahoo.com servers for the www record. As you can see here, your ISP's name server is doing most of the work.


In earlier versions of BIND there were few tools that could be used to keep someone from using your name server for recursive queries. This presented issues from a security and resources angle. With later releases, the ISC added tools to restrict who can use your server for recursive querying. It's a pretty painless process. If you'd like to turn off recursion completely, add the following to your named.conf file in the options section:


options {
. . .
recursion no;
};


Realize that by disabling recursion completely, your name server cannot be used to do lookups by your client machines. So if you're using the DNS server to do lookups for your LAN, you need to have recursion on. However, you can restrict recursion to a network as follows:


options {
. . .
allow-recursion {
127.0.0.0/8;
192.168.1.0/27;
};
};