Use allow-query on primary servers?

[Jim Reid]

>>>>> "Cricket" == Cricket Liu <cricket at acmebw.com> writes:


    >> Not really, though explicitly blocking systems that are being
    >> nasty would be reasonable. If you try to define a set of
    >> trusted hosts that are allowed to query your name servers, you
    >> probably lose. How are you going to predict which hosts and
    >> users on the internet will lookup your domain(s) and the IP
    >> addresses of the name servers or resolvers they will use? This
    >> is only do-able when the name servers live behind a firewall
    >> and there's tight control over the nets that get routed over
    >> the internal network.

    Cricket> The technique Martin described *is* a good idea: Limiting
    Cricket> queries for domain names not in your authoritative zones.
    Cricket> Turning recursion off is somewhat more effective, if you
    Cricket> can do it, but his isn't a bad solution.

Yeah, you're right. I misread the original question as "how do I stop
unwanted clients from getting answers for my zone?" rather than "how
do I stop my name server from giving answers to unwanted clients for
zones other than my own?" And as you say, switching off recursion is a
better way to achieve that if it is a viable option.