Stop recursive queries for particular zone... is it possible?

[Mark_Andrews at isc.org]

> Hi there,
> 
> I have two BIND 8.3.4 DNS servers, say 'dns1' and 'dns2'. dns2 has
> 'forward first' and 'forwarders { dns1 }' in its BIND config file.
> dns1 slaves a realtime blacklist from a commercial provider, and
> naturally I'm not allowed to let anyone on the Internet query this
> zone, so I've set up an 'allow-query' section on dns1 for this RBL
> zone to only allow my servers to query the zone.

	Using 'forward first' to present a different view of the
	world is not safe.
 
> dns2 is both an MX and a name server. 

	What type of nameserver.  Authoritative?  Caching and to whom?

> Sendmail on dns2 must be able to
> query the RBL zone on dns1, but I don't want to allow BIND on dns2 to
> query the RBL zone, as this would allow hosts on the Internet to
> recursively query the RBL zone through dns2.

	The obvious question to ask here is "why are you allowing
	hosts on the Internet recursive access?"
 
> So... if I could disallow BIND on dns2 from knowing anything about the
> RBL zone on dns1, that would solve my problem... or, if I could
> disallow recursive queries of the RBL zone on dns2, that would also
> solve my problem. Can anyone suggest how I might achieve either of
> these things, or suggest another approach?
> 
> Thanks,
> Guy.

	I would have dns2 set up as a slave to dns1 for the rbl zone
	and just have an allow-query on it.  I would also look at
	potentially overriding the max-refresh/max-retry so that
	changes don't take so long to propogate between the two
	servers.  Without doing this they could take twice as long
	as the refresh interval to appear on dns2.

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org