7.12 Restricting the Queries a Name Server Answers

7.12.1 Problem

You want to restrict the queries a name server answers.

7.12.2 Solution

Use the allow-query substatement to restrict the queries to which the name server responds. allow-query can be used as either an options substatement or a zone substatement. As an options substatement, it determines which addresses the name server will reply to for queries in any zone. Used as a zone substatement, allow-query controls which queriers can look up records in that zone, and overrides any eponymous options substatement.

This allow-query substatement allows only queriers ( resolvers and name servers) on local networks to look up arbitrary domain names :

options {
    directory "/var/named";
    allow-query { localnets; };
};

The localnets ACL is predefined by BIND as all of the networks to which the host that runs the name server is directly connected.

In the same named.conf file, this allow-query substatement allows anyone to look up domain names in the bar.example zone:

zone "bar.example" {
    type slave;
    masters { 10.0.0.1; };
    file "bak.bar.example";
    allow-query { any; };
};

This particular combination of allow-query substatements is useful on name servers that serve some group of local resolvers that you can identify by IP address, but also have one or more zones delegated to them.

You can also control which addresses are allowed to send recursive queries with the allow-recursion options substatement, supported in BIND 8.2.1 and later. Only queriers in the specified address match list will have their queries processed recursively; all other queries and treated as nonrecursive. For example:

options {
    directory "/var/named";
    allow-recursion { localnets; };
};

7.12.3 Discussion

If you're faced with the choice of using multiple allow-query substatements or a single allow-recursion substatement to protect a name server from unauthorized queries, you should be aware of an important corner case: name servers authoritative for a zone that contains delegation may receive legitimate queries from remote name servers for data in subzones. The combination of allow-query options and zone substatements described earlier won't permit these queries, since the queries are received from nonlocal addresses for data outside of the name server's authoritative zones. allow-recursion works fine, though; you can permit recursive queries only from local networks and allow nonrecursive queries from anywhere .

Though you can specify TSIG keys with the allow-query substatement, there's usually not much point in doing so, since resolvers don't sign queries. Other name servers can, though.

7.12.4 See Also

"Restricting Queries" in Chapter 11 of DNS and BIND .

7.13 Preventing a Name Server from Querying a Particular Remote Name Server

7.13.1 Problem

You want to keep a name server from querying a particular remote name server.

7.13.2 Solution

Add a server statement to the name server's named.conf file, specifying the remote name server's IP address, with a bogus substatement telling the name server not to query it. For example:

server 192.168.0.255 {
    bogus yes;
};

7.13.3 Discussion

This feature isn't used much on production name servers, perhaps because there aren't many remote name servers that are known to be under the influence of evil organizations bent on world domination, la SMERSH or SPECTRE. But it can come in handy if you know that a particular name server is misbehaving.

If you do add a server statement to keep a name server from speaking to a remote name server, remember to check back periodically to see if the remote name server is still suffering from whatever dyspepsia is causing it to belch forth unpleasantness.