Linux : Restrict recursive lookup on BIND name server

By | October 7, 2012

To restrict as much as possible attack on your name server and avoid your resources consumed by tons of illegitimate queries, it’s wise to disable recursive lookup from the Internet for domains that are not served by your DNS server.

To achieve that, simply add those parameters to named.conf “options” section :

recursion yes;
allow-recursion { 127.0.0.1; };

This will only allow local server queries to resolve domains not managed by himself. All remote queries will be refused except the domains entered into your named.conf.

This is a complete config sample if you want to allow your server and local network to do recursive query :

options {
recursion yes;
allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};