Symptom:

After upgrading from an older version of BIND (older than 9.5.0), client cannot resolve external DNS information anymore.

Problem:

BIND version < 9.5.0 had an implicit

allow-recursion { any; };

setting, thus allowing recursive services to anyone. All BIND versions 9.5.0+ have an more restrictive implicit

allow-recursion { localnets; localhost; };

which restricts recursion to all locally attached networks (build-in ACL 'localnets') and all IP addresses of the local machine (build-in ACL 'localhost'). Any client machine sending recursive queries from a network that is not locally attached to the DNS server will be refused.

This setting has been introduced to reduce the problem of 'open DNS resolvers' in the Internet (see article Open DNS Server - does it matter and how do I secure (close) my server?)



Solution

BIND DNS Servers starting with BIND 9.5.0 that offer recursive services to clients should always have a 'allow-recursion' statement in the option block, controlling which machines are allowed to use the recursive service. A recursive service should only be offered to trusted machines, never to outside strangers (and never to 'any', the whole Internet).

Example of an 'allow-recursion' configuration (adjust the IP addresses according to your network topology):
acl mynetworks {
        localnets;
        192.0.2.0/24;
        2001:db8:100::/56;
};

options {
   allow-recursion { mynetworks; localhost; };
};