Why not "allow-query" in a forward zone?

Jesper Dybdal jd at u3.dybdal.dk
Wed Mar 8 16:10:54 UTC 2000

I run a nameserver (BIND 8.2.2-P5) on a firewall which is
connected the Internet and to two separate internal networks that
each have internal name servers for their separate internal

For the sake of log files and troubleshooting, I would like the
firewall itself to be able to look up names and IP addresses in
the internal networks.

This can be done by defining suitable "forward" zones that refer
to the internal nameservers.

However, I would like to prohibit outsiders from looking up names
in these zones.

"Allow-query" in the forward zone would be perfect for that, but
for some reason an "allow-query" specification is not allowed in
a forward zone.

Is there any special reason for that?  Will it be allowed in a
later release?

Jesper Dybdal, Denmark.
http://www.dybdal.dk (in Danish).

More information about the bind-users mailing list