DNS & BIND

DNS & BINDSearch this book
Previous: 10.8 A More Restricted Name ServerChapter 10
Advanced Features and Security
Next: 10.10 Avoiding a Bogus Name Server
 

10.9 A Nonrecursive Name Server

By default, BIND resolvers send recursive queries, and BIND name servers do the work required to answer recursive queries. (If you don't remember how recursion works, look in Chapter 2, How Does DNS Work?.) In the process of finding the answer to recursive queries, the name server builds up a cache of nonauthoritative information about other domains.

In some circumstances, it is undesirable for name servers to do the extra work required to answer a recursive query or to build up a cache of data. The root name servers are an example of one of these circumstances. The root name servers are so busy that they should not be spending the extra effort to recursively find the answer to a request. Instead, they send a response based only on the authoritative data they have. The response may contain the answer, but it is more likely that the response contains a referral to other name servers. And since the root servers do not support recursive queries, they do not build up a cache of nonauthoritative data, which is good because their cache would be huge.[2]

[2] Note that a root name server wouldn't normally receive recursive queries, unless a name server's administrator configured it to use a root server as a forwarder, a host's administrator configured its resolver to use the root server as a name server, or a user pointed nslookup at the root server.

You can induce BIND to run as a nonrecursive name server with the following conf file statement:

options {
                recursion no;
};

On a BIND 4.9 server, that's the directive:

options no-recursion

Now the server will respond to recursive queries as though they were nonrecursive.

In conjunction with recursion no, there is one more configuration option necessary if you want to stop your server from building a cache:

options {
                fetch-glue no;
};

Or, on BIND 4.9:

options no-fetch-glue

This stops the server from fetching missing glue when constructing the additional data section of a response.

If you choose to make one of your servers nonrecursive, do not list this name server in any host's resolv.conf file. While you can make your name server nonrecursive, there is no corresponding option to make your resolver work with a nonrecursive name server.[3]

[3] In general. Clearly, programs designed to send nonrecursive queries, or that can be configured to send nonrecursive queries, like nslookup, would still work.

You can list a nonrecursive name server as one of the servers authoritative for your zone data (i.e., you can tell a parent name server to refer queries about your zone to this server). This works because name servers send nonrecursive queries between themselves.

Do not list a nonrecursive name server as a forwarder. When a name server is using another server as a forwarder, it sends the query to the forwarder as a recursive query instead of a nonrecursive query.


Previous: 10.8 A More Restricted Name ServerDNS & BINDNext: 10.10 Avoiding a Bogus Name Server
10.8 A More Restricted Name ServerBook Index10.10 Avoiding a Bogus Name Server