Unexpected "REFUSED" response.

Jim Reid jim at rfc1035.com
Mon May 17 19:31:56 UTC 2004 

>>>>> "Neil" == Neil W Rickert <rickert+nn at cs.niu.edu> writes:

    Neil> 	zone "niu.edu" in { 
    Neil>	      type slave ;
    Neil>	      file "cache/niu.DOM" ;
    Neil>	      masters { 131.156.1.11 ; } ; 
    Neil>	      allow-query { any ; } ;
    Neil> } ;

    Neil> A query from off-campus resulted in the unexpected:

    Neil> ; <<>> DiG 9.2.3 <<>> @mp.cs.niu.edu max.niu.edu 
    Neil> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 65093

Could you have some sort of global ACL, say for allow-recursion? A
recursive query from outside is being refused. So assuming dig's
lookup source and desination addresses are correct -- too bad you
didn't give them in your posting! -- this means the client must be
matching some ACL on your server. That can't be the one above. So it
looks like you have another one somewhere in your named.conf file. A
global allow-recursion clause seems most likely and it's this that the
external recursive lookup matches against and gets refused.

    Neil> If I repeate the query, but with "+norec" on the command
    Neil> line (to turn off recursion), I get:

    Neil> ;; global options: printcmd ;; Got answer: 
    Neil> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30026 

This would be consistent with a global allow-recursion ACL that's in
your named.conf file.

    Neil> When the query is made from on-campus, the result is

    Neil> ;; global options: printcmd ;; Got answer: 
    Neil> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18977 
    Neil> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
    Neil> ;; QUESTION SECTION: 
    Neil> ;max.niu.edu.  IN A

    Neil> ;; ANSWER SECTION:
    Neil> max.niu.edu.  86400 IN CNAME max.forlangs.net.

    Neil> ;; AUTHORITY SECTION: 
    Neil> forlangs.net.  10800 IN SOA ......

This time, the server you've queried seems to also be authoritative
for the forlangs.net zone. It knows the name max.forlangs.net doesn't
exist. Hence the NXDOMAIN reply with the SOA record for forlangs.net
in the Authority Section. The reply you've got is saying max.nui.net
exists as a CNAME pointing at max.forlangs.net but that this name
doesn't exist.

A non-recursive request from the outside probably doesn't get this
extra information because BIND9's being lazy when the client has said
it can do iterative queries for itself. :-) And maybe you have
minimal-responses enabled? If so, your server will only be populating
the Authority and Additional Sections when it really has to.

More information about the bind-users mailing list