On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote: > Hello! > > I can't find in docs how disable answer (Refused), if recursion for IP is not > allowed?
Something like this should work: _________________________________ options { directory "/var/named"; }; acl authorized-clients { 192.0.2.1; }; view caching-server { match-recursive-only yes; blackhole { ! authorized-clients; any; }; // any other resolution configuration goes here }; view auth-server { // zones go here }; _________________________________ Note that there is no need to use the allow-query-cache, allow-query, allow-recursion, or recursion statements in either view. All recursive queries will be caught by the first view, which will drop queries by unauthorized clients - no refusal will be sent. If an authorized client sends a recursive query to the server for local authoritative data, as long as the NS records are configured correctly (possibly along with stub zone statements in the caching-server view), the server will query itself (iteratively, so hitting the auth-server view) and find the data. The only way in which this differs from what you want is, if someone sends a recursive query for your authoritative zone data from an unauthorized IP, the query will be dropped. But this will probably only happen in testing with dig or nslookup, and it can be worked around (by the user) by turning off the RD flag in the request. Chris Buxton Professional Services Men & Mice _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users