Disable Refused answer

Kevin Darcy kcd at chrysler.com
Thu Dec 3 15:04:59 UTC 2009

Dmitry Rybin wrote:
> Barry Margolin wrote:
>> In article <mailman.1159.1259764844.14796.bind-users at lists.isc.org>,
>> Dmitry Rybin <kirgudu at corbina.net> wrote:
>>> Hello!
>>> I can't find in docs how disable answer (Refused), if recursion for 
>>> IP is not allowed?
>> What do you expect it to do instead? Not respond at all?
> Drop not allowed request.
This is not compatible with the DNS protocol, as defined:

RFC 1034, Section 4.3.1:


If recursive service is requested and available, the recursive response
to a query will be one of the following:

   - The answer to the query, possibly preface by one or more CNAME
     RRs that specify aliases encountered on the way to an answer.

   - A name error indicating that the name does not exist.  This
     may include CNAME RRs that indicate that the original query
     name was an alias for a name which does not exist.

   - A temporary error indication.

If recursive service is not requested or is not available, the non-
recursive response will be one of the following:

   - An authoritative name error indicating that the name does not

   - A temporary error indication.

   - Some combination of:

     RRs that answer the question, together with an indication
     whether the data comes from a zone or is cached.

     A referral to name servers which have zones which are closer
     ancestors to the name than the server sending the reply.

   - RRs that the name server thinks will prove useful to the


Note that "no response" is not one of the options.

You should probably implement this outside of DNS and BIND, e.g. a stateful firewall which would, by policy, drop incoming DNS query packets from certain source-address ranges, which have the RD bit set in the DNS query packet header.

							- Kevin

More information about the bind-users mailing list