Kevin Darcey wrote:
>It's only the *external* clients you don't want to recurse for. You

still >may need to recurse for your *internal* clients, unless they
don't require >resolvability of Internet names (e.g. if everything is
behind application->level proxies), or, alternatively, you intend to
host the whole Internet >DNS namespace on your computer (biiiiiig box).

>Options: run separate boxes for hosting versus recursion, separate BIND


>instances on the same box, separate "view"s within the same instance,

or
>control queries and/or recursion via allow-query and/or

allow-recursion.
>Note that BIND 9.4.0 just came out with an "allow-query-cache" option,
>which makes allow-recursion a little more palatable -- previously,

since
>answers from the cache do not require recursion, this data was

available
>to external clients regardless of the allow-recursion settings, which
>was arguably "information leakage" that might not make one's security
>administrators/auditors very happy.


>There was recently a thread here on a very similar topic. See the posts


>with the subject line "recursion question" at
>http://marc.theaimsgroup.com/?l=bind...rsion+question

&q=b


I am the person who originated that original question you are referring
to. I am still somewhat fuzzy on the recursion thing. I have set up
the named.conf file with the option line also:

{
recursion no;
};

I have not seen any problems with user access to the internet. I do
have an internal DNS server inside the firewall running Windows 2000 as
an internal DNS server. In my ignorance of much of the issues
associated with DNS I have concluded that this internal DNS is allowing
our client machines to resolve names. Is this a correct assumption on
my part?

Steve