<html><head> <style type="text/css" title="rt_noDelete">
blockquote.rt {
margin: 0 0 15px;
border-left: 4px solid #81c784;
padding: 0 0 0 12px;
display: block;
}
p { margin: 0 0 0 0 }
.email-signature {font-family:"Arial"; font-size: 8pt; font-style: italic; font-weight: normal; text-decoration: none; }
</style></head><body><p class="norm">You might search the list archives, as I think this came up recently...</p><p class="norm">But I think the general consensus is that you shouldn't have a server that is both authoritative AND that allows recursive queries. (Security reasons)</p><p>And if you do allow both, to limit recursive queries to internal (semi-trusted/controlled) hosts only.</p><p> </p><p>The options you'll be wanting to look at are:</p><p> </p><p>allow-query
</p><p> allow-recursion</p>
<p> allow-query-cache</p><p> </p><p>See the docs.</p><p> </p><p>something like;</p><p>allow-recursion { local-nets; }; </p><p> </p><p>Where local-nets are the local subnets you want to allow recursion for - meaning you trust those hosts on those subnets more than the open internet.</p><p> </p><p> </p><p class="norm"> <br/>
</p><p class="norm"><br/></p><p class="norm"></p><blockquote class="rt"><div dir="ltr">Just to be clear, the servers are authoritative<br/></div><br/><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Tue, Mar 8, 2022 at 5:27 AM Ritah Mulinde <<a href="mailto:rytaluv@gmail.com">rytaluv@gmail.com</a>> wrote:<br/></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Thank you Mark</div><div><br/></div><div>Iam abit new to this. How do i fix that??<br/></div></div><br/><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Tue, Mar 8, 2022 at 5:19 AM Mark Andrews <<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>> wrote:<br/></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Presumably you are making recursive queries and you are denying them.<br/>
<br/>
> On 8 Mar 2022, at 12:44, Ritah Mulinde <<a href="mailto:rytaluv@gmail.com" target="_blank">rytaluv@gmail.com</a>> wrote:<br/>
> <br/>
> Hi Guys<br/>
> Just got my primary and secondary name servers running.<br/>
> <br/>
> However, when i reload rdnc and tail the syslogs all i get is "(<a href="http://xxxx.xx.com" rel="noreferrer" target="_blank">xxxx.xx.com</a>): query (cache) '<a href="http://cccc.xx.com/A/IN" rel="noreferrer" target="_blank">cccc.xx.com/A/IN</a>' denied"<br/>
> <br/>
> Not sure why.<br/>
> <br/>
> kindly asking for some pointers on where to start looking<br/>
> <br/>
> <br/>
> Thank you<br/>
> -- <br/>
> Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br/>
> <br/>
> ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br/>
> <br/>
> <br/>
> bind-users mailing list<br/>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br/>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br/>
<br/>
-- <br/>
Mark Andrews, ISC<br/>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br/>
PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br/>
<br/>
</blockquote></div>
</blockquote></div>
</blockquote><div class="email-signature"><br/>
</div></body>