How to make bind 8.2.3 stop forwarding for non-customers?

[Kevin Darcy]

You can set a global allow-query which only permits your network(s), and then
"allow-query { any; };" for each zone you host.


- Kevin

Marc Haber wrote:

> Hi,
>
> I run a name server with bind 8.2.3 that is both authoritative for a
> bunch of zones and has been given out to our customers as a forwarder.
> I know it is a bad idea to combine these two functions on a single
> bind daemon, but that was implemented before I joined $COMPANY.
>
> I would like to have that server to only work as a forwarder if the
> query originates in "my" network. I have an access list that lists my
> network, and I have the "allow_recursion" set to the acl.
>
> However, this doesn't stop my machine from answering. Instead, it
> returns the caller the best information that it currently has in its
> cache. For example, a query for www.google.com will most probably be
> accurately answered, while a query for
> some-hostname.some-obscure-vanity-domain.de will most probably be
> answered by a referral to the authoritative servers for de.
>
> Does bind 8 (bind 9?) have a configuration option to make the local
> server stop answering for any query that doesn't affect a zone that
> the server is authoritative for? Or is the best I can do "allow_query"
> for no IP addresses at all and then allowing queries for 0.0.0.0/0 in
> each zone I host?