Let's not overthink this. I fear that I've activated a lot of creative circuitry in individuals and provided flimsy details around my example.
There are no outside clients. In this example, I'm only discussing inside clients on inside DNS. The recursive resolvers that ALL inside clients connect to will seek responses from the DNS root servers AFTER determining that the response can not be determined from the internal DNS zones. There is no access provided to outside (internet centric) clients to inside DNS. The determination of known/unknown clients is via a NAC layer and further, the classification of unknown gets automatically assigned to those clients combining in through GUEST WiFi (e.g. cell phones, ipads, etc.). Most organizations with a NAC layer in place have procedures to allow unknown clients temporary access at some level (e.g. vendors, etc.). HTH, Bob
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users