Disable response to specific query in BIND
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jun 22 22:36:05 UTC 2004
Barry Margolin wrote:
>In article <cb9tjh$1rqu$1 at sf1.isc.org>, KSP <ksp at att.com> wrote:
>
>
>
>>On a more recent version of BIND, yes it is.
>>
>>
>
>Even in non-recent versions. I believe it's been allowed since BIND 8.
>
>
>
>>(from Bv9ARM)
>>
>>---snip---
>>allow-query
>>
>> Specifies which hosts are allowed to ask ordinary DNS questions.
>>allow-query may also be specified in the zone statement, in which case it
>>overrides the options allow-query statement. If not specified, the default
>>is to allow queries from all hosts.
>>---snip---
>>
>>ksp
>>
>>
>>On Tue, 21 Jun 2004, Sonorix wrote:
>>
>>
>>
>>>Is allow-query directive suitable in zone definition?
>>>
>>>
>
>
>
Barry,
I think you're missing the point. allow-query is not
permitted in a "type forward" zone definition because, essentially it
makes no sense ("I'll forward any query I get for this zone, but I'll
never get any because I REFUSE them all"). This is true in BIND 9, as
named-checkconf attests:
% named-checkconf /etc/named.conf
/tmp/named.conf:35: option 'allow-query' is not allowed in 'forward'
zone 'example.com'
%
I would suggest to the original poster to do things the "old-fashioned
way", i.e. define an "empty" (not truly empty because of course at least
1 SOA and 1 NS record must exist) zone for the name. If it is desired to
return REFUSED for the name instead of an empty answer, then an
allow-query can be defined for the zone, as Barry described. If you want
to do this for multiple names, you'll need multiple zone definitions,
but you can use the same zone file for all of them.
- Kevin
More information about the bind-users
mailing list