Unexpected "REFUSED" response.

Kevin Darcy kcd at daimlerchrysler.com
Mon May 17 21:41:50 UTC 2004 

Neil W Rickert wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Queries are restricted to campus-access, except for domain for which
>the server is authoritative.  The server is running bind-9.2.3
>
>The domain is NIU.EDU.
>
>Its configuration for this domain:
>
>	zone "niu.edu" in {
>		type slave ;
>		file "cache/niu.DOM" ;
>		masters { 131.156.1.11 ; } ;
>		allow-query { any ; } ;
>	} ;
>
>A query from off-campus resulted in the unexpected:
>
>; <<>> DiG 9.2.3 <<>> @mp.cs.niu.edu max.niu.edu
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 65093
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;max.niu.edu.                   IN      A
>
>If I repeate the query, but with "+norec" on the command line (to
>turn off recursion), I get:
>
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30026
>;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;max.niu.edu.                   IN      A
>
>;; ANSWER SECTION:
>max.niu.edu.            86400   IN      CNAME   max.forlangs.net.
>
>When the query is made from on-campus, the result is
>
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18977
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;max.niu.edu.                   IN      A
>
>;; ANSWER SECTION:
>max.niu.edu.            86400   IN      CNAME   max.forlangs.net.
>
>;; AUTHORITY SECTION:
>forlangs.net.           10800   IN      SOA     wolf.niu.edu. root.wolf.niu.edu. 40 7200 3600 604800 86400
>
>The response to the initial query seems wrong to me.  I am posting
>here (via the usenet gateway) rather than the bugs address, because I
>am not quite sure whether it is a bug.
>
>I would have expected the answer to be the same as for the second
>query, but with the "recursion denied" flag set.  The fact that there
>is a negative response in cache for the CNAME destination should not,
>in my opinion, have the effect of causing a REFUSED response to the
>original lookup.
>
>I'm interested in any comments.  Preferably send comment to the
>mailing list, where I will read them via usenet.
>
I'd speculate that the authoritative servers for forlangs.net are 
blocking (or, to put it another way, not permitting) queries from the 
mp.cs.niu.edu server, or whatever forwarders it's using, if applicable. 
That would explain the REFUSED response being passed back to you. When 
you did the non-recursive query, all you got back was the CNAME record, 
which doesn't really prove anything since no query went to the 
forlangs.net nameservers in that case. When you queried from "on-campus" 
the queries were coming from some other nameserver which presumably is 
in the allow-query list on the forlangs.net nameservers, so you got back 
a proper NXDOMAIN response instead of REFUSED.

                                                                         
                                    - Kevin

More information about the bind-users mailing list