Unexpected "REFUSED" response.

Jim Reid jim at rfc1035.com
Mon May 17 23:05:54 UTC 2004 

>>>>> "Neil" == Neil W Rickert <rickert+nn at cs.niu.edu> writes:

    >> Could you have some sort of global ACL, say for
    >> allow-recursion? A

    Neil> I did mention in my original post, that access is restricted
    Neil> from off campus.  That is done with

    Neil> allow-query { niu ; } ; 
    Neil> allow-recursion { niu ; } ;

Er, no. You didn't mention that. Until now... :-)

    Neil> Yes, I understand what has happened.  Since max.niu.edu is a
    Neil> CNAME, these restriction deny access to a lookup of the
    Neil> CNAME destination.

No! It's got nothing to do with what record types exist or don't exist
for max.niu.edu.

    Neil> Access is explicitly allowed for niu.edu.  So why does named
    Neil> not return the CNAME record, and set the recursion-denied
    Neil> flag to indicate why it won't look up the CNAME destination?

Because you told it not to do that! Read on...

BTW, there's no "recursion-denied flag". Your server returns a REFUSED
response code when it finds the query matches some criteria that
you've told the server are considered unwelcome. I quote from RFC2136:

   RCODE   Response code - this four bit field is undefined in requests
           and set in responses.  The values and meanings of this field
           within responses are as follows:

              REFUSED     5       The name server refuses to perform the
                                  specified operation for policy or
                                  security reasons.

So for operational or security reasons -- your ACLs in other words --
your server is not answering recursive queries from outside. It's not
the server's fault that it's only doing what it was told to do rather
than what you thought you'd told it to do.

    Neil> It seems strange to get REFUSED on a lookup for a name for
    Neil> which access was explicitly allowed.

Why? Access wasn't explicitly allowed! You configured your name server
to refuse those queries and that's just what the name server did!

It seems your named.conf file looks something like this:

options {
	allow-query { niu; };
	allow-recursion { niu; }
	...
};

zone "nui.edu" {
	....
	allow-query { any; };
};

You could have posted the damn file instead of expecting this list to
guess its contents based on your slightly garbled and confusing
postings. Oh well.

The above configuration doesn't work as you expected. But you should
already know that. :-) A recursive query from outside won't match the
global allow-recursion ACL. So they get refused. The name server will
reject these. Which is what you see happening. Recursive queries from
addresses not in your nui ACL don't get through. Non-recursive queries
from outside for something in nui.edu won't get matched against those
global allow-query or allow-recursion ACLs. They will get checked
against the zone-specific ACL. [Remember zone-specific ACLs take
precedence over the global ones.] That ACL allows anyone to make
queries. But by implication those queries would have to be
non-recursive if they come from an address not in the nui ACL: ie from
outside.

More information about the bind-users mailing list