Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
61 lines (42 sloc) 1.79 KB




The given test script verifies that the checked nameservers do not allow recursion by looking for the "ra"-flag in the output of the dig-tool.

The checked nameservers are determined by querying the NS-records of the given domain.


Recursion (sometimes also referred to as recursive requests) refers to a nameserver which resolves queries by querying other nameservers. As per above explanation, this is part of a resolving nameserver and might lead to abuse (Cache-Poisoning, Reflection, DNS-Amplification attacks).

Authoritative nameservers (NS-records point to authoritative ones) should never perform recursion at all. Unless operating a public resolver, recursion should only be allowed for internal clients/systems.


Disabling recursion is as simple as defining

recursion: no;

in the options { } block. In case you are using views, you may selectively disable and enable recursion by defining the above in the specific view { } block instead of the options { } block.

If for any reason you do have to allow recursion for some specific clients, you should work with acl's and allow-recursion { }.

acl "clients" {;

options {
    allow-recursion { clients; };

Mind that you cannot mix recursion: no; and allow-recursion { }.

Further information