Hi,

Our 2 DNS servers are not allowing me to do recursive queries locally on the server. They used to, and today they don't anymore. As far as I know, nobody has changed the config.

options {
allow-recursion {
localhost;
};
recursion no;
};

This is part of our config (that relates to recursion).

When I do a dig locally, it just lists the root servers with status: NOERROR and ANSWER: 0

If I change recursion yes; then it works.

Any ideas why this isn't working?

Thanks.

Why are you setting both allow-recursion and recursion no?

Also localhost is a name for 127.0.0.1 which means it would only allow queries from that interface (lo0) to do recursion.

Did you create an acl named localhost? If so it may not be working due to above (that is it is likely taking localhost as literal host name rather than acl name). If not then it definitely isn't working due to above.

In our DNS servers we create acl:

Then in options:
We have no "recursion" statement. By doing above it allows the hosts at IP or IP range specified in the acl, internaldns, to do recursive lookups but forbids all others (e.g. outside users).

In the individual zone specifications we include:
That insures anyone inside or outside our network can query the zones for which we're authoritative. Users outside of the acl can query our zones but they can't use us to lookup things like Google.com but users inside the acl can lookup Google.com to their hearts' content.