I haven't found much on the web specifically about this so I wanted to ask if anybody knows if it is possible to have Bind configured as forwarding only, with no recursive queries allowed?
This would be on an authoritative master.

The reasoning for this is due to company (best practice) security policies stating that an authoritative master should not allow recursive queries. We do have a separate server dedicated for recursion that we can forward to. Root hints is also implemented but is suggested to be removed as well.

I've tested with the following in named.conf:

options {
forwarders {
x.x.x.x;
x.x.x.x;
x.x.x.x;
};

forward only;
allow-transfer { tranz; };
allow-query { none; };
recursion no;
};

zone "." {
type hint;
file "root.cache";
};

zone "abc.com" {
type master;
file "db.abc";
allow-query { any; };
allow-update { none; };
allow-transfer { key server01-server02; }; };

If I run bind with this configuration the client's query gets denied.

The only way I've been able to get forwarding and queries to work is if I allow recursive queries either by not adding anything about recursion (defaults to yes) or adding allow-recursion (restricted with an ACL).

I'm no DNS Bind expert so I wanted to confirm if recursion must be allowed in this case.

Thx in advance.

Nevermind I think I found what I needed.

Looks like with forward only it doesn't allow recursion anyways.

Forward-only servers
When a DNS server configured to use forwarders cannot resolve a query locally, or using its forwarders, the server attempts to resolve the query using standard recursion. A DNS server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries to resolve the name. Instead, if it does not get a successful query response from any of the servers configured as forwarders, then it fails the query. A DNS server configured in this manner is called a forward-only DNS server. If all forwarders for a name in the query do not respond to a forward-only DNS server, that DNS server will not attempt recursion."

http://technet.microsoft.com/en-us/l...(v=ws.10).aspx

1 members found this post helpful.

Maybe you can help me out with the following.

INITIAL INFO:
The dns servers run at least bind 9.3.x.x.x.
Recursion is on by default and limited globally via allow-recursion as part of options.

Meanings below:
IPA = IP Address
IPAR = IP Address Range
NS-IPA = Name Server IP Address.
The config has been simplified for this example.

Contents of named.conf file.
----------------------------

options {
directory "/var/named";
allow-recursion { IPAR1; IPAR2; IPAR3; IPA1; IPA2; IPA3; localnets; localhost; };
allow-transfer { IPA4; IPA5; IPA6; IPA7; localhost; };
listen-on{
127.0.0.1;
IPA1;
IPA2;
IPA3;
};
check-names master ignore;
};

logging {
category lame-servers {null; };
};

zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "forward.localhost";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "reverse.127.0.0";
allow-update { none; };
};

zone "exampledomain1.com"{
type master;
file "db.exampledomain1.com";
};

zone "exampledomain2.com" {
type forward;
forwarders {NS-IPA8; NS-IPA9;};
forward only;
};

zone "exampledomain3.com"{
type master;
file "db.exampledomain3.com";
};
-----------------

PROBLEM:
For the forwarded domain name of exampledomain2.com, it seems that the outside world is not getting forwarded to NS-IPA8 or NS-IPA9, and a REFUSED response gotten.
If on this dns server a lookup of the exampledomain2.com is done, then the IPA for exampledomain2.com gets cached and upon further requests by public Internet for exampledomain2.com, an IPA is provided from cache.

QUESTIONS:
So, is there no way to have the forward work while having recursion limited (basically having recursion seen as set to no from the Internet's point of view)?

What about putting a "recursion yes;" in the zone section?
Making it this:
zone "exampledomain2.com" {
recursion yes;
type forward;
forwarders {NS-IPA8; NS-IPA9;};
forward only;
};


I want the dns server to do recursion for only specific networks and/or IPAs and, and be master for domain names, and forward query requests for some domain names to two other dns servers.

I haven't experimented with your type of config so I might not be of much help.
My server is just doing "forward only" for everything.

From what I've read, putting "type forward" and "forward only" in a specific zone should override what you have in the options section.

I'm not sure if "recursion yes" is a valid zone clause.
I don't see it listed here:
http://www.zytrax.com/books/dns/ch7/zone.html
..but maybe something's changed with your bind version.

It seems that something like this might work for you...
http://gleamynode.net/articles/2267/
...but instead of having "forward only" in your options section you would have something like what you put:
options {
allow-recursion { allowed_list; };
allow-query { allowed_list; };
}

acl "allowed_list" {
127.0.0.1;
x.x.x.x/24;
x.x.x.x;
};

Restricting recursions, etc. and then you could add your master zones and forward zones.
Hopefully this helps.

I have determined that recursion is not available in zones.
Okay, taking a look at the references you provided.
Thank you.

Examining usage of ACL along with view clause.