By default, bind will allow recursive queries for lookups on other domains that are not master zones on the name server.
This presents some PCI compliance issues and some informational vulnerabilities (allowing third parties to query the nameserver).
It is important to restrict who can perform DNS queries, in addition to what is allowed to be queried. If this DNS server is only meant to be recursively queried by internal users for third-party domains, then there is no reason to allow the general internet to also perform queries against it. If the server is meant only to act as a nameserver for specific domains, then recursive queries should be disabled as it is unnecessary for the server to resolve anything other than its own domains.
To disable recursive queries, add the following to the options section of named.conf:
Then restart the named service and dig at the name server to ensure the changes have taken effect.Tweet