Restricting Recursive Lookups with BIND 8/9

When you allow recursive lookups, you open yourself up to various security risks and performance issues, so you should only allow recursion when needed. Recursive lookups are lookups for domains you are not authoritative for. That is, if you are authoritative for mycompany.com, and you don’t allow recursion, then if somebody queries your server for anotherdomain.com, they will just get a host not found error. To turn off recursion alltogether, use this option in named.conf:

options {
directory "/var/named";
recursion no;
};

We left in the directory option, which you probably have set the same, anyway. Now, say you want to allow recursion for certain hosts. You could do this:

acl recurseallow { 6.4.2.4; 2.4.2.1; 1.2.1.2; };
options {
directory "/var/named";
allow-recursion { recurseallow; };
};

This would only allow hosts with source IP addresses of 6.4.2.4, 2.4.2.1, or 1.2.1.2 query about domains the server is not authoritative for. You can also specify entire subnets using / notation. For further information, check out our Name Resolution section.