<div dir="ltr"><div>[ Classification Level: <font color="blue">GENERAL BUSINESS</font> ]</div><br class="cursAfter">I just checked the ARM, and it denotes that "match-recursive-only" (boolean) still exists for views. So, you might be able to set up a special view with that, as well as a negated match-clients, specifying allow-query { none; }. Put it as the first view, and both non-recursive queries, and queries from your "recursive-users" ACL, will fall through to subsequent views.<div><br></div><div> - Kevin</div><div><br></div><div>P.S. ISC's "understanding views" knowledgebase article doesn't mention match-recursive-only, so there is a discrepancy there. Either the feature has been removed, and the ARM documentation hasn't been updated to reflect it, or the knowledgebase article only focuses on the most common view-matching criteria, omitting match-recursive-only, since the use cases for that are very rare.</div><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 5, 2021 at 3:10 PM Axel Rau <<a href="mailto:Axel.Rau@chaos1.de">Axel.Rau@chaos1.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have,<br>
<br>
allow-query { any; };<br>
allow-query-cache { recursive-users; };<br>
allow-recursion { recursive-users; };<br>
<br>
How can I make sure that none recursive-users get a REFUSED if query is recursive?<br>
<br>
Axel<br>
<br>
PS: I want to minimize the responses to this amplification attack:<br>
- - -<br>
19:05:18.703238 185.230.55.130.30120 > 91.216.35.71.53: [no udp cksum] 1+ RRSIG? pizzaseo.com.(30) (ttl 249, id 33043, len 58)<br>
19:05:18.703568 91.216.35.71.53 > 185.230.55.130.30120: [udp sum ok] 1- q: RRSIG? <a href="http://pizzaseo.com" rel="noreferrer" target="_blank">pizzaseo.com</a>. 0/13/14 ns: com. NS <a href="http://j.gtld-servers.net" rel="noreferrer" target="_blank">j.gtld-servers.net</a>., com. NS <a href="http://m.gtld-servers.net" rel="noreferrer" target="_blank">m.gtld-servers.net</a>., com. NS <a href="http://c.gtld-servers.net" rel="noreferrer" target="_blank">c.gtld-servers.net</a>., com. NS <a href="http://b.gtld-servers.net" rel="noreferrer" target="_blank">b.gtld-servers.net</a>., com. NS <a href="http://d.gtld-servers.net" rel="noreferrer" target="_blank">d.gtld-servers.net</a>., com. NS <a href="http://e.gtld-servers.net" rel="noreferrer" target="_blank">e.gtld-servers.net</a>., com. NS <a href="http://l.gtld-servers.net" rel="noreferrer" target="_blank">l.gtld-servers.net</a>., com. NS <a href="http://f.gtld-servers.net" rel="noreferrer" target="_blank">f.gtld-servers.net</a>., com. NS <a href="http://h.gtld-servers.net" rel="noreferrer" target="_blank">h.gtld-servers.net</a>., com. NS <a href="http://i.gtld-servers.net" rel="noreferrer" target="_blank">i.gtld-servers.net</a>., com. NS <a href="http://a.gtld-servers.net" rel="noreferrer" target="_blank">a.gtld-servers.net</a>., com. NS <a href="http://k.gtld-servers.net" rel="noreferrer" target="_blank">k.gtld-servers.net</a>., com. NS <a href="http://g.gtld-servers.net" rel="noreferrer" target="_blank">g.gtld-servers.net</a>. ar: <a href="http://m.gtld-servers.net" rel="noreferrer" target="_blank">m.gtld-servers.net</a>. A 192.55.83.30, <a href="http://l.gtld-servers.net" rel="noreferrer" target="_blank">l.gtld-servers.net</a>. A 192.41.162.30, <a href="http://k.gtld-servers.net" rel="noreferrer" target="_blank">k.gtld-servers.net</a>. A 192.52.178.30, <a href="http://j.gtld-servers.net" rel="noreferrer" target="_blank">j.gtld-servers.net</a>. A 192.48.79.30, <a href="http://i.gtld-servers.net" rel="noreferrer" target="_blank">i.gtld-servers.net</a>. A 192.43.172.30, <a href="http://h.gtld-servers.net" rel="noreferrer" target="_blank">h.gtld-servers.net</a>. A 192.54.112.30, <a href="http://g.gtld-servers.net" rel="noreferrer" target="_blank">g.gtld-servers.net</a>. A 192.42.93.30, <a href="http://f.gtld-servers.net" rel="noreferrer" target="_blank">f.gtld-servers.net</a>. A 192.35.51.30, <a href="http://e.gtld-servers.net" rel="noreferrer" target="_blank">e.gtld-servers.net</a>. A 192.12.94.30, <a href="http://d.gtld-servers.net" rel="noreferrer" target="_blank">d.gtld-servers.net</a>. A 192.31.80.30, <a href="http://c.gtld-servers.net" rel="noreferrer" target="_blank">c.gtld-servers.net</a>. A 192.26.92.30, <a href="http://b.gtld-servers.net" rel="noreferrer" target="_blank">b.gtld-servers.net</a>. A 192.33.14.30, <a href="http://a.gtld-servers.net" rel="noreferrer" target="_blank">a.gtld-servers.net</a>. A 192.5.6.30, <a href="http://m.gtld-servers.net" rel="noreferrer" target="_blank">m.gtld-servers.net</a>. AAAA 2001:501:b1f9::30(490) (ttl 63, id 11754, len 518)<br>
- - -<br>
---<br>
PGP-Key: CDE74120 ☀ computing @ chaos claudius<br>
<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div></div>