Nameservers (BIND) fulfill two functions: serving authoritative data for delegated zones, and relaying queries and responses for non-authoritative zones. In the interest of security, operators generally should not use a single nameserver for both functions. This note explains why, and how, you should configure BIND to implement these functions separately.

Create an authoritative-only nameserver with recursion disabled. When you disable recursion, BIND does not contact other servers for unknown zones on the client’s behalf. Instead, it either returns a referral to a server that can answer the query, or returns an error message.

To disable recursion, use the recursion no; option in named.conf. It also makes sense to disable fetch-glue when recursion is disabled:

options {
recursion no;
fetch-glue no;
};

If you have the root zone as a hint in named.conf, queries for unknown zones receive a referral to the root name servers. On the other hand, if you remove the root zone hints, clients receive a SERVFAIL error message. ISC recommends removing the root zone hints for authoritative-only nameservers.

Tags: Communication Data Networking, Networking Security, Business Communication Data Networking, Business Networking Referral, Computer Networking Other