[BlueOnyx:11627] Re: BIND config

[Michael Stauber]

Hi George,

> Yes, but the named.conf file that results is ambiguous.  It always has a
> line that says recursion's allowed.
> 
> Perhaps that line is in error, or perhaps the proper directive isn't
> making it into the file.  The blank line that appaears just before the
>               "// recursion allowed"
> and the "allowed" line being there makes it unclear if recursion is indeed
> disabled.

Any line in named.conf that starts with two slashes ('//') is a comment.
So if your section in named.conf looks like ...

options {
  directory "/var/named";
  // spoof version for a little more security via obscurity
  version "100.100.100";
  // no forwarders defined
  allow-transfer { 192.168.51.65; };
  // recursion access denied

  // recursion allowed
};

... then recursion is enabled.

> Clearly, these days, fully open recursion is a Bad Thing(tm)!

Fully open? Yes, that's certainly not a good idea.

All in all recursion is a necessary evil. In /etc/resolv.conf you need
to use at least one DNS server that allows recursion. Otherwise your
server will be unable to resolve anything that your nameservers aren't
authoritative for. Which screws up reverse lookups and throws a wrench
into connecting to any service (until the recursion lookup of that
service times out), screws up mailservers and impairs logging.

Sure, there are ways around it: Use one open nameserver that allows
recursion. That can be one from your ISP, a public one like the Google
nameservers (8.8.8.8 or 8.8.4.4) or similar. Or allow recursion on at
least one of your own nameservers and use that one instead. At the end
of the day I usually use one of my own nameservers, because recursion is
such an important matter that I'd rather have it in my own hands than to
offload it to somewhere beyond my control.

Of course at the same time it's wise to limit the recursion to only
allow it from the IP's (or address ranges) that you actually use.

> Please see my other post with cut/paste examples of named.conf with and
> without recursion IPs being included.

Yeah, I've seen that. That's what I'd expect to see.

You see, we operate on the principal assumption that someone who sets up
a BlueOnyx wants to use the box for certain purposes. He uses the DNS
server on his box as resolver in /etc/resolv.conf and also uses it as
authoritative nameserver for the domains he hosts. That means he will
need recursion enabled. We could take this one step further and could
therefore add the primary IP of the box into the "Query Request
Recursion Access by IP Address" input box of the "Advanced" tab in the
DNS management page. Which would limit recursion to the primary IP of
the server. Which would allow local recursion, but not a fully open
recursion. If we'd do that, I'd fully expect a metric ton of "Help! My
DNS server is not working!" questions from those people that thus far
depended on their DNS servers to do recursion for other boxes as well.

This was a design decision that was made even way before the start of
the BlueOnyx project and it even predates BlueQuartz. If we tackle that
now and change this behavior at runtime, it'll be quite controversial
and will cause hardships.

At the same time the existing GUI already gives you all the tools you
need to either turn off recursion entirely, or to limit it to certain
IP's or networks. I don't say that it's perfect or can't be improved.
But it's there and can be used.

> Also, the reply to that message from Gerald Waugh indicated a manual edit
> worked for him, but the GUI didn't.

I might have overlooked something, but I see a message from Gerald where
he said he manually turned off recursion by editing named.conf. It
doesn't say that it didn't work for him via the GUI.

-- 
With best regards

Michael Stauber