Recursive Lookups

[BigWil]

Hey I hate assuming and would really love to hear more about recursive lookups. What are they and specifically how do you turn them off. We have high load servers and DNS stuff is starting to give us some marks against us because of the recursive.

So how do I turn recursive lookups off, and will that effect Exims ability to validate sender email addresses for domains outside of our network?

Thanks,

BigWil

 

[fusionictnl]

Recursive lookups are used to perform a check on a servers hostname. Exim validates a server by doing a reverse lookup on it's IP adres and validates that i't's the same as how the mailserver calls itself.

Don't know wich problems you have with the reverse lookups ? Wich one is giving problems ?? Exim, Named ???

 

[nobaloney]

Let's start over, because I can't figure out what fusionictnl means by his response .

A recursive nameserver returns answers for any DNS query you send it. A nonrecursive nameserver only returns answers for domains for which it's authoritative (in other words for domains for which it has master or slave zone files, and for which said domes are listed in it's named.conf file).

Your system must be able to get recursive lookups, or else it won't be able to do a lot of things, the most important of which is send any email at all.

However you don't have to run a recursive nameserver; you can simply list a recursive server as the first nameserver in /etc/resolv.conf.

To create a nonrecursive nameserver you'll need to add "recursion no" (without the quotes) to the options list near the top of /etc/named.conf, then restart BIND.

Jeff

 

[BigWil]

Jeff,

That is what I thought recursive was. I was confused too. Ok so if I have a recursive nameserver in the first entry and the local server in the second like so:

nameserver 123.123.123.123 {a recursive ns on the network}
nameserver 0.0.0.0

Then whenever the local machine's need arises the machine will use the first server which will have the recursive still on of course.

Now is there a way to allow only recursive lookups from other machines on the network? That way on my chosen recursive machine it will allow recursive from this machine and the others but not from the outside world? Would be sweet if it was possible. But then again if that were possible I guess each machine could only allow recursive if coming from the localhost.

But on the typical machines that I want to be non-recursive I just add the recursive no to the options like so. You sure there shouldn't be quotes around the no?

options {
directory "/etc/namedb";
recursion no;
}

Anyways that will block any incoming lookups from outsiders doing nslookups. I believe I have ALOT of that traffic. Probably some utilities on the net using us to do their lookups. They are going to be bummed soon. ;-)

Thanks man you rock!

BigWil

 

[BigWil]

Jeff,

Beautiful thanks a million. I owe you for this one.

On each of the production servers:

/etc/resolv.conf

nameserver 123.123.123.123 {bind 9 semirecursive}
nameserver 0.0.0.0

Added option in named.conf for

recursion no;


Now on the machine I am pointing them all to for their recursive lookups (123.123.123.123) I added this to the name.conf options there:

allow-recursion { 123.123.123.0/64; 69.1.2.3; 69.1.2.4; };

The first is our network and the second my remote management machines. (hypothetically of course)

TADA! Works great. Only these machines can do recursive lookups on the 123.123.123.123 machine. Headed over to DNSStuff.com and guess what.... A+ all the way around.

Cool. Now my semi-techie customers will stop complaining. They get so paranoid.

BigWil