Hi Fred,
> It seems as though somehow that behavior is implicit in allowing /
> disallowing recursion by the server.
I think this is right. I think isc.org ns servers return "REFUSED"
because they have recursion disabled and are not authoritative for
what you have asked for ('.' TXT) (and you used +norec in your dig
query anyway). You implied that you have recursion enabled, I think.
If I ask my own test resolver in the same manner I get no answer/no
error and the '.' SOA in the authority section:
% dig . TXT @192.168.40.42 +norec
; <<>> DiG 9.10.6 <<>> . TXT @192.168.40.42 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15715
;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;. IN TXT
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2025090601 1800 900 604800 86400
;; Query time: 14 msec
;; SERVER: 192.168.40.42#53(192.168.40.42)
;; WHEN: Sat Sep 06 16:40:47 EDT 2025
;; MSG SIZE rcvd: 103
I have a vague memory that this is the correct behavior as described
in RFC 1034 and 1035.
As for if you are missing something else that would allow you to
achieve your goal, I'll let others answer.
Thank you,
Darren Ankney
On Sat, Sep 6, 2025 at 2:27 PM Fred Morris <m3...@m3047.net> wrote:
>
> So I have a BIND server which is publicly exposed, but which is not
> referenced from the canonical tree we call "The DNS". It serves as a
> firewall / DNS "WAF" for resources which it recurses to obtain.
>
> People (bad, misinformed people) issue queries to it, for things which it
> is not intended or capable of answering: it is not a general-purpose
> recursing resolver:
>
> # perl -ne 'm/query: (\S+) (\S+) (\S+)/ && printf "%s\n", join( "\t", $1,
> $2, $3);' bind-queries.log | sort | uniq -c | sort -rnk1 | grep -vE '^ +1
> '
> 1912 gsu.edu IN ANY
> 13 sl IN ANY
> 10 isc.org IN TXT
> 10 isc.org IN ANY
> 10 cloudflare.com IN DNSKEY
> 9 version.bind CH TXT
> 9 ripe.net IN DNSKEY
> 9 cloudflare.com IN ANY
> 8 ripe.net IN TXT
> 8 ripe.net IN ANY
> 8 isc.org IN DNSKEY
> 8 cloudflare.com IN TXT
> 6 vtb.com IN ANY
> 3 collectd.org IN ANY
> 2 VERSION.BIND CH TXT
> 2 hostname.bind CH TXT
> 2 hbtbank.com IN TXT
> 2 hbtbank.com IN ANY
> 2 direct.shodan.io IN A
>
> (That's a taste from the past 24 hours.)
>
> It can't answer any of those questions, and properly enough given that it
> recurses, answers NXDOMAIN. For completeness, you get essentially the
> same answer if you ask +norecurse. But the mote in my eye is the AUTHORITY
> section, which contains a referral to root (".") which references this
> server, not the canonical roots. Mockapetris can holster his sidearm,
> because this server is not part of The DNS.
>
> However if I ask one of ISC's nameservers (ns1.isc.org) running BIND
> 9.18.38 according to version.bind for something which it is not
> authoritative for it answers REFUSED, with no referral in AUTHORITY. I'd
> like to be able to do that.
>
> # dig @ns1.isc.org . TXT +norecurse
>
> ; <<>> DiG 9.12.3-P1 <<>> @ns1.isc.org . TXT +norecurse
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21168
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 8aef89922fc3d6b60100000068bc7b689f633c48a5f93945 (good)
> ;; QUESTION SECTION:
> ;. IN TXT
>
> ;; Query time: 35 msec
> ;; SERVER: 149.20.2.26#53(149.20.2.26)
> ;; WHEN: Sat Sep 06 11:20:24 PDT 2025
> ;; MSG SIZE rcvd: 56
>
> It would be nice if I could achieve this behavior, IN CASE someone else
> running a server for this purpose intentionally or inadvertently put it in
> The DNS (tree). Just so Mockapetris doesn't come gunning for them.
>
> It seems as though somehow that behavior is implicit in allowing /
> disallowing recursion by the server. I could modify the code and recompile
> so that it answered everything "AA"; in fact I'd be pleased if this server
> straight up lied and claimed to be authoritative for all of the domains it
> legitimately queries, just saying. I don't know if I'd have to do some
> additional work to get it to answer REFUSED.
>
> It occurred to me that RPZ would be an option; but the RPZ implementation
> has no option to return REFUSED.
>
> Am I missing something?
>
> --
>
> Fred Morris, internet plumber
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
