named selectively denies recursion

Fri Mar 7 22:30:51 UTC 2008

I have a Linux name service daemon with a simple and open configuration.
Its options include "recursion: yes;"; this is the default, but I wanted
to make sure.  In the main configuration file and the zone files, this is
the only option governing acceptance of queries in general or recursive
queries in particular.

The server consistently accepts recursive queries from some hosts, and
denies recursion to others.  According to tcpdump on the server host, the
server denies recursion autonomously without consulting any other servers.

Apparently, if the client host's address lies outside the IP range for
the server host's network interface, the server declares recursion
unavailable and responds by refusing the query.  These hosts are all on
the same virtual LAN.  No IP addresses are being translated.  I don't
think it would matter if they were.

Can anybody suggest why the BIND daemon denies recursion selectively?

-:-
        Although men are not laboratory animals, they often behave
        as though they are.  Sometimes they are put in cages and
        treated like rats, manipulated and sacrificed at the will
        of their masters. . . . But always, such a caged person
        hopes or fears that some force greater than himself, the
        Great Experimenter or the Great Computer, will change or
        end it all.

                                                --Eric Berne (1972)
-- 
Col. George Sicherman
home: colonel at mail.monmouth.com
work: gsicherman at vonage.com
web: <http://www.monmouth.com/~colonel/>