Disable Refused answer
Kevin Darcy
kcd at chrysler.com
Thu Dec 3 15:04:59 UTC 2009
Dmitry Rybin wrote:
> Barry Margolin wrote:
>> In article <mailman.1159.1259764844.14796.bind-users at lists.isc.org>,
>> Dmitry Rybin <kirgudu at corbina.net> wrote:
>>
>>> Hello!
>>>
>>> I can't find in docs how disable answer (Refused), if recursion for
>>> IP is not allowed?
>>
>> What do you expect it to do instead? Not respond at all?
>>
>
> Drop not allowed request.
This is not compatible with the DNS protocol, as defined:
RFC 1034, Section 4.3.1:
---
If recursive service is requested and available, the recursive response
to a query will be one of the following:
- The answer to the query, possibly preface by one or more CNAME
RRs that specify aliases encountered on the way to an answer.
- A name error indicating that the name does not exist. This
may include CNAME RRs that indicate that the original query
name was an alias for a name which does not exist.
- A temporary error indication.
If recursive service is not requested or is not available, the non-
recursive response will be one of the following:
- An authoritative name error indicating that the name does not
exist.
- A temporary error indication.
- Some combination of:
RRs that answer the question, together with an indication
whether the data comes from a zone or is cached.
A referral to name servers which have zones which are closer
ancestors to the name than the server sending the reply.
- RRs that the name server thinks will prove useful to the
requester.
---
Note that "no response" is not one of the options.
You should probably implement this outside of DNS and BIND, e.g. a stateful firewall which would, by policy, drop incoming DNS query packets from certain source-address ranges, which have the RD bit set in the DNS query packet header.
- Kevin
More information about the bind-users
mailing list