I’ve just set up a new BIND DNS server for a new network. I configured the network in a way I’ve not done before which was to have the servers on a different subnet to the regular machines and other devices. I prefer this set up but it has resulted in me having to do some reading up about network configuration. Anyway, all was going well until I switched over to my new DNS server…
At that point I found that none of the clients on the regular machine network could resolve anything. Of course I first restarted everything but guess what, that didn’t work. I was working on a Windows machine at the time so I fired up a command line and performed an nslookup on the new server and this is what I got:
C:\Users\Username>nslookup example.com 10.4.3.2 Server: UnKnown Address: 10.4.3.2 *** UnKnown can't find example.com: Query refused
The key bit of information here is that the query was refused. I didn’t know this at the time but out of the box BIND will not resolve for addresses outside it’s local network by default, what are known as recursive queries. The solution I used was to add the following to named.conf.options:
allow-recursion { any; };
This tells BIND to accept queries from anywhere and resolve them. Before you get all carried away and stick this setting into your BIND server I should point out that this setting on it’s own will make the server accept queries from anywhere and that’s not likely to be what you want if you have a publicly visible server or you don’t trust the network it’s connected to. If that’s the case then you can limit the machines that will be able to perform resolutions using the access control lists.
If you want to make this setting using Webmin the recursion setting can be found under Addresses and Topology on the Global Options page.
A typical ACL that restricts the hosts that can perform recursive lookups might be something like this:
acl AllowedHosts { 192.168.7.0/24; 10.4.3.0/24; };
See also: allow-recursion, ISC knowledge base article