Suppress BIND authority section on authoritative server with recursion disabled
Clash Royale CLAN TAG#URR8PPP
up vote
4
down vote
favorite
I'm running an authoritative server with recursion disabled for hosts not in my network on BIND 9.11.3. When querying for domains not under the server's authority from a host outside my network, I get no answer and a list of root servers in the authority section. I understand why this happens, and I'm wondering if it's possible to disable the authority section entirely. Is there an option similar to minimal-responses that will not return any authority data when recursion is not available?
Example dig:
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @NS google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6847
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5ed7760df1d65f05baba487c5b75a318b3065456b81ca133 (good)
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
;; Query time: 36 msec
My options look like this:
options
listen-on any; ;
directory "/var/cache/bind";
allow-recursion acls; ;
rate-limit
responses-per-second 10;
exempt-clients acls; ;
window 5;
;
allow-query-cache any; ;
allow-query any; ;
allow-update none; ;
dnssec-enable no;
dnssec-validation no;
minimal-responses yes;
forwarders
208.67.222.222;
208.67.220.220;
;
;
ubuntu domain-name-system bind
add a comment |Â
up vote
4
down vote
favorite
I'm running an authoritative server with recursion disabled for hosts not in my network on BIND 9.11.3. When querying for domains not under the server's authority from a host outside my network, I get no answer and a list of root servers in the authority section. I understand why this happens, and I'm wondering if it's possible to disable the authority section entirely. Is there an option similar to minimal-responses that will not return any authority data when recursion is not available?
Example dig:
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @NS google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6847
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5ed7760df1d65f05baba487c5b75a318b3065456b81ca133 (good)
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
;; Query time: 36 msec
My options look like this:
options
listen-on any; ;
directory "/var/cache/bind";
allow-recursion acls; ;
rate-limit
responses-per-second 10;
exempt-clients acls; ;
window 5;
;
allow-query-cache any; ;
allow-query any; ;
allow-update none; ;
dnssec-enable no;
dnssec-validation no;
minimal-responses yes;
forwarders
208.67.222.222;
208.67.220.220;
;
;
ubuntu domain-name-system bind
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I'm running an authoritative server with recursion disabled for hosts not in my network on BIND 9.11.3. When querying for domains not under the server's authority from a host outside my network, I get no answer and a list of root servers in the authority section. I understand why this happens, and I'm wondering if it's possible to disable the authority section entirely. Is there an option similar to minimal-responses that will not return any authority data when recursion is not available?
Example dig:
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @NS google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6847
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5ed7760df1d65f05baba487c5b75a318b3065456b81ca133 (good)
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
;; Query time: 36 msec
My options look like this:
options
listen-on any; ;
directory "/var/cache/bind";
allow-recursion acls; ;
rate-limit
responses-per-second 10;
exempt-clients acls; ;
window 5;
;
allow-query-cache any; ;
allow-query any; ;
allow-update none; ;
dnssec-enable no;
dnssec-validation no;
minimal-responses yes;
forwarders
208.67.222.222;
208.67.220.220;
;
;
ubuntu domain-name-system bind
I'm running an authoritative server with recursion disabled for hosts not in my network on BIND 9.11.3. When querying for domains not under the server's authority from a host outside my network, I get no answer and a list of root servers in the authority section. I understand why this happens, and I'm wondering if it's possible to disable the authority section entirely. Is there an option similar to minimal-responses that will not return any authority data when recursion is not available?
Example dig:
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @NS google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6847
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5ed7760df1d65f05baba487c5b75a318b3065456b81ca133 (good)
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
;; Query time: 36 msec
My options look like this:
options
listen-on any; ;
directory "/var/cache/bind";
allow-recursion acls; ;
rate-limit
responses-per-second 10;
exempt-clients acls; ;
window 5;
;
allow-query-cache any; ;
allow-query any; ;
allow-update none; ;
dnssec-enable no;
dnssec-validation no;
minimal-responses yes;
forwarders
208.67.222.222;
208.67.220.220;
;
;
ubuntu domain-name-system bind
ubuntu domain-name-system bind
asked Aug 16 at 16:55
asmth00
232
232
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
7
down vote
accepted
I did some quick testing, and believe your problem is related to the following line:
allow-query-cache any; ;
Your configuration is disallowing recursion to the public, but still allowing cache access. Normally a remote client would receive an rcode of REFUSED
when recursion is not enabled, but since access to the cache has been explicitly allowed, the client is receiving the most specific answer that is possible from a cache that does not contain that response.
The DNS professional in me would recommend disabling recursion+caching on an authoritative server in all circumstances where there is not an explicit need. If you are convinced that you need to retain this functionality, then it would be best to apply the same ACL to both. (or simply remove allow-query-cache
altogether, since it defaults to the value of allow-recursion
)
That would make sense. Thanks much!
â asmth00
Aug 16 at 18:45
add a comment |Â
up vote
6
down vote
I wouldn't consider what you describe normal behavior for BIND9 (it certainly doesn't behave like that with the default config), however I'm pretty sure I understand what causes it.
Your authoritative server also has recursion enabled (not necessarily a good idea) but locked down (better), however you are specifically allowing everyone access to already cached results.
If you remove allow-query-cache any; ;
, it should answer REFUSED
(as expected).
1
Within a minute of each other. Nice!
â Andrew B
Aug 16 at 17:50
Thanks as well. :)
â asmth00
Aug 16 at 18:46
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
7
down vote
accepted
I did some quick testing, and believe your problem is related to the following line:
allow-query-cache any; ;
Your configuration is disallowing recursion to the public, but still allowing cache access. Normally a remote client would receive an rcode of REFUSED
when recursion is not enabled, but since access to the cache has been explicitly allowed, the client is receiving the most specific answer that is possible from a cache that does not contain that response.
The DNS professional in me would recommend disabling recursion+caching on an authoritative server in all circumstances where there is not an explicit need. If you are convinced that you need to retain this functionality, then it would be best to apply the same ACL to both. (or simply remove allow-query-cache
altogether, since it defaults to the value of allow-recursion
)
That would make sense. Thanks much!
â asmth00
Aug 16 at 18:45
add a comment |Â
up vote
7
down vote
accepted
I did some quick testing, and believe your problem is related to the following line:
allow-query-cache any; ;
Your configuration is disallowing recursion to the public, but still allowing cache access. Normally a remote client would receive an rcode of REFUSED
when recursion is not enabled, but since access to the cache has been explicitly allowed, the client is receiving the most specific answer that is possible from a cache that does not contain that response.
The DNS professional in me would recommend disabling recursion+caching on an authoritative server in all circumstances where there is not an explicit need. If you are convinced that you need to retain this functionality, then it would be best to apply the same ACL to both. (or simply remove allow-query-cache
altogether, since it defaults to the value of allow-recursion
)
That would make sense. Thanks much!
â asmth00
Aug 16 at 18:45
add a comment |Â
up vote
7
down vote
accepted
up vote
7
down vote
accepted
I did some quick testing, and believe your problem is related to the following line:
allow-query-cache any; ;
Your configuration is disallowing recursion to the public, but still allowing cache access. Normally a remote client would receive an rcode of REFUSED
when recursion is not enabled, but since access to the cache has been explicitly allowed, the client is receiving the most specific answer that is possible from a cache that does not contain that response.
The DNS professional in me would recommend disabling recursion+caching on an authoritative server in all circumstances where there is not an explicit need. If you are convinced that you need to retain this functionality, then it would be best to apply the same ACL to both. (or simply remove allow-query-cache
altogether, since it defaults to the value of allow-recursion
)
I did some quick testing, and believe your problem is related to the following line:
allow-query-cache any; ;
Your configuration is disallowing recursion to the public, but still allowing cache access. Normally a remote client would receive an rcode of REFUSED
when recursion is not enabled, but since access to the cache has been explicitly allowed, the client is receiving the most specific answer that is possible from a cache that does not contain that response.
The DNS professional in me would recommend disabling recursion+caching on an authoritative server in all circumstances where there is not an explicit need. If you are convinced that you need to retain this functionality, then it would be best to apply the same ACL to both. (or simply remove allow-query-cache
altogether, since it defaults to the value of allow-recursion
)
answered Aug 16 at 17:43
Andrew B
24.7k868111
24.7k868111
That would make sense. Thanks much!
â asmth00
Aug 16 at 18:45
add a comment |Â
That would make sense. Thanks much!
â asmth00
Aug 16 at 18:45
That would make sense. Thanks much!
â asmth00
Aug 16 at 18:45
That would make sense. Thanks much!
â asmth00
Aug 16 at 18:45
add a comment |Â
up vote
6
down vote
I wouldn't consider what you describe normal behavior for BIND9 (it certainly doesn't behave like that with the default config), however I'm pretty sure I understand what causes it.
Your authoritative server also has recursion enabled (not necessarily a good idea) but locked down (better), however you are specifically allowing everyone access to already cached results.
If you remove allow-query-cache any; ;
, it should answer REFUSED
(as expected).
1
Within a minute of each other. Nice!
â Andrew B
Aug 16 at 17:50
Thanks as well. :)
â asmth00
Aug 16 at 18:46
add a comment |Â
up vote
6
down vote
I wouldn't consider what you describe normal behavior for BIND9 (it certainly doesn't behave like that with the default config), however I'm pretty sure I understand what causes it.
Your authoritative server also has recursion enabled (not necessarily a good idea) but locked down (better), however you are specifically allowing everyone access to already cached results.
If you remove allow-query-cache any; ;
, it should answer REFUSED
(as expected).
1
Within a minute of each other. Nice!
â Andrew B
Aug 16 at 17:50
Thanks as well. :)
â asmth00
Aug 16 at 18:46
add a comment |Â
up vote
6
down vote
up vote
6
down vote
I wouldn't consider what you describe normal behavior for BIND9 (it certainly doesn't behave like that with the default config), however I'm pretty sure I understand what causes it.
Your authoritative server also has recursion enabled (not necessarily a good idea) but locked down (better), however you are specifically allowing everyone access to already cached results.
If you remove allow-query-cache any; ;
, it should answer REFUSED
(as expected).
I wouldn't consider what you describe normal behavior for BIND9 (it certainly doesn't behave like that with the default config), however I'm pretty sure I understand what causes it.
Your authoritative server also has recursion enabled (not necessarily a good idea) but locked down (better), however you are specifically allowing everyone access to already cached results.
If you remove allow-query-cache any; ;
, it should answer REFUSED
(as expected).
answered Aug 16 at 17:44
HÃ¥kan Lindqvist
19.8k33255
19.8k33255
1
Within a minute of each other. Nice!
â Andrew B
Aug 16 at 17:50
Thanks as well. :)
â asmth00
Aug 16 at 18:46
add a comment |Â
1
Within a minute of each other. Nice!
â Andrew B
Aug 16 at 17:50
Thanks as well. :)
â asmth00
Aug 16 at 18:46
1
1
Within a minute of each other. Nice!
â Andrew B
Aug 16 at 17:50
Within a minute of each other. Nice!
â Andrew B
Aug 16 at 17:50
Thanks as well. :)
â asmth00
Aug 16 at 18:46
Thanks as well. :)
â asmth00
Aug 16 at 18:46
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f926730%2fsuppress-bind-authority-section-on-authoritative-server-with-recursion-disabled%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password