On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:
> Hello!
>
> I can't find in docs how disable answer (Refused), if recursion for IP is not
> allowed?
Something like this should work:
_________________________________
options {
directory "/var/named";
};
acl authorized-clients {
192.0.2.1;
};
view caching-server {
match-recursive-only yes;
blackhole { ! authorized-clients; any; };
// any other resolution configuration goes here
};
view auth-server {
// zones go here
};
_________________________________
Note that there is no need to use the allow-query-cache, allow-query,
allow-recursion, or recursion statements in either view. All recursive queries
will be caught by the first view, which will drop queries by unauthorized
clients - no refusal will be sent.
If an authorized client sends a recursive query to the server for local
authoritative data, as long as the NS records are configured correctly
(possibly along with stub zone statements in the caching-server view), the
server will query itself (iteratively, so hitting the auth-server view) and
find the data.
The only way in which this differs from what you want is, if someone sends a
recursive query for your authoritative zone data from an unauthorized IP, the
query will be dropped. But this will probably only happen in testing with dig
or nslookup, and it can be worked around (by the user) by turning off the RD
flag in the request.
Chris Buxton
Professional Services
Men & Mice
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
