Dmitry Rybin wrote:
Barry Margolin wrote:
In article <mailman.1159.1259764844.14796.bind-us...@lists.isc.org>,
Dmitry Rybin <kirg...@corbina.net> wrote:
Hello!
I can't find in docs how disable answer (Refused), if recursion for
IP is not allowed?
What do you expect it to do instead? Not respond at all?
Drop not allowed request.
This is not compatible with the DNS protocol, as defined:
RFC 1034, Section 4.3.1:
---
If recursive service is requested and available, the recursive response
to a query will be one of the following:
- The answer to the query, possibly preface by one or more CNAME
RRs that specify aliases encountered on the way to an answer.
- A name error indicating that the name does not exist. This
may include CNAME RRs that indicate that the original query
name was an alias for a name which does not exist.
- A temporary error indication.
If recursive service is not requested or is not available, the non-
recursive response will be one of the following:
- An authoritative name error indicating that the name does not
exist.
- A temporary error indication.
- Some combination of:
RRs that answer the question, together with an indication
whether the data comes from a zone or is cached.
A referral to name servers which have zones which are closer
ancestors to the name than the server sending the reply.
- RRs that the name server thinks will prove useful to the
requester.
---
Note that "no response" is not one of the options.
You should probably implement this outside of DNS and BIND, e.g. a stateful
firewall which would, by policy, drop incoming DNS query packets from certain
source-address ranges, which have the RD bit set in the DNS query packet header.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
