July 24, 2009

Disable recursion in Bind

Running publically facing DNS servers is often necessary in order to allow Internet resolution of your domains and services but allowing 3rd party look ups of other people’s domains and services (recursion) can create unnecessary server load and potential security problems.

Disabling recursion in BIND is involves editing the BIND configuration file (usually /etc/named.conf) and including the following configuration:

// Version obscures your BIND version information which
// protects you against attackers probing known vulnerabilities.

version “[SECURED]”;

// Optional – disables all transfers –
// slaves allowed in zone clauses

allow-transfer {”none”;};

// Optional – disable all recursive queries

allow-recursion {”none”;};
recursion no;

Once you have secured your DNS configuration restart BIND (/etc/init.d/named restart) then test that recusion is disabled by clicking here and entering your DNS server/s IP address.