Recursive Queries are not supported by default

[sameersbn]

As of BIND 9.4.1-P1, new options have become available (and are required) to allow recursive DNS entries as explained by this ISC article. Therefore, after this container is started, it will not allow clients outside of the host to do recursive DNS entries with the current configuration.

Expected Behavior: After the container is started with the default, included config, this server will be able to resolve recursive DNS entries from other clients on the network as implied by this example article.

Actual Behavior: The server responds with this message to the client: ** server can't find google.com: REFUSED The logs on the client read: client 192.168.2.202#64300 (google.com): query (cache) 'google.com/A/IN' denied

[sameersbn]

➤ Will Sloan commented:

The solution for this is to add an ACL group, specify which clients are included in it, and set an option for recursive DNS resolution. Sample here:

acl trusted { 192.168.0.0/16; 10.153.154.0/24; localhost; localnets; };

options { allow-query { any; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; };These configuration options can be included in the /etc/bind/named.conf file.

The ISC does not recommend allowing any client to do recursive queries because it opens a vulnerability where any malicious client can turn the DNS server into part of a DDOS. This recommendation can be found in this article However, this may be the best option for this general of a project.

[sameersbn]

➤ Edward Cheadle commented:

There is a way to do it from the webmin console. On the login screen open: Server/Bind DNS Server. Next select the icon Zone Defaults. In the Default zone settings section, there is a box labeled Allow queries from.... In that box type any and things seem to work. I don't know if there are any differences between the two methods, but I do know this works and you can do it right from the webmin interface. There is also the acl icon, but I did not experiment trying to recreate the method from the earlier post.

[sameersbn]

➤ Hans van den Bogert commented:

@echeadle the TS has a different use-case for his DNS server. Recursion is for zones that are not configured on the server itself. E.g., if the DNS server get's a request for google.com, it realizes that it doesn't have the zone file for that, so then it recurses from the root domains to google's nameservers to get the record for google.com. That is what recursion is.

In your case you're describing access to the local zones. That's not recursion.

Therefore, the TS's problem is still not solved