When you allow recursive lookups, you open yourself up to various security risks and performance issues, so you should only allow recursion when needed. Recursive lookups are lookups for domains you are not authoritative for. That is, if you are authoritative for mycompany.com, and you don't allow recursion, then if somebody queries your server for anotherdomain.com, they will just get a host not found error. To turn off recursion alltogether, use this option in named.conf:

options {
directory "/var/named";
recursion no;
};


We left in the directory option, which you probably have set the same, anyway. Now, say you want to allow recursion for certain hosts. You could do this:

acl recurseallow { 6.4.2.4; 2.4.2.1; 1.2.1.2; };
options {
directory "/var/named";
allow-recursion { recurseallow; };
};


This would only allow hosts with source IP addresses of 6.4.2.4, 2.4.2.1, or 1.2.1.2 query about domains the server is not authoritative for. You can also specify entire subnets using / notation. For further information, check out our Name Resolution section.

I just noticed that my dns server was being used as a caching dns server for some random host. In my log files, I was seeing ANY queries for x.h.ctrc.cc. When I looked at the cache, this was for some encoded data.

Using the documentation on this page, I was able to fix this problem. The way that I fixed this was to add the following to the options section:

// version statement for security to avoid
// hacking known weaknesses

version “get lost”;

// optional – disables all transfers –
// slaves allowed in zone clauses

allow-transfer {“none”;};

// optional – disable all recursive queries

allow-recursion {“none”;};

recursion no;