Disable Refused answer

Chris Buxton cbuxton at menandmice.com
Thu Dec 3 17:00:45 UTC 2009

On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:

> Hello!
> I can't find in docs how disable answer (Refused), if recursion for IP is not allowed?

Something like this should work:

options {
	directory "/var/named";

acl authorized-clients {;

view caching-server {
	match-recursive-only yes;
	blackhole { ! authorized-clients; any; };
	// any other resolution configuration goes here

view auth-server {
	// zones go here

Note that there is no need to use the allow-query-cache, allow-query, allow-recursion, or recursion statements in either view. All recursive queries will be caught by the first view, which will drop queries by unauthorized clients - no refusal will be sent.

If an authorized client sends a recursive query to the server for local authoritative data, as long as the NS records are configured correctly (possibly along with stub zone statements in the caching-server view), the server will query itself (iteratively, so hitting the auth-server view) and find the data.

The only way in which this differs from what you want is, if someone sends a recursive query for your authoritative zone data from an unauthorized IP, the query will be dropped. But this will probably only happen in testing with dig or nslookup, and it can be worked around (by the user) by turning off the RD flag in the request.

Chris Buxton
Professional Services
Men & Mice

More information about the bind-users mailing list