[Pdns-users] How to get "Refused" responses with PDNS Authoritative + Recursor?

Vlad vladsol2009 at gmail.com
Mon Feb 10 09:27:02 UTC 2014


Unfortunately, this server was authoritative+recursive many years... It 
is used both clients and client domains :(
With NAMED was no such problem.
As a workaround (I'm not sure it's correct, but I like it) I changed a 
little function questionOrRecurse.
DLOG(L<<Logger::Warning<<"setting 'No Error'"<<endl);

replaced with

DLOG(L<<Logger::Warning<<"setting 'Refused'"<<endl);
r->setRcode(RCode::Refused);
return r;


10.02.2014 10:42, Peter van Dijk wrote:
> Hello Vlad,
>
> On 09 Feb 2014, at 14:46 , Vlad <vladsol2009 at gmail.com> wrote:
>
>> I trying to use the PDNS Authoritative + Recursor as backend instead
>> BIND9 server :-)
>> I am almost happy, but there is a small problem ...
>> I want to get the behavior, like BIND: if a request is received from
>> an address that is not in allow-recursion list, respond Refused. But
>> now i getting empty answers with NOERROR... And, as i know, my dns
>> server listed in one of the "open resolvers" public list :-)
> If the public list has an entry for you even though you respond with empty answers, that list is broken and you should send them a complaint.
>
> For optimal control over the behaviour of your recursor, please do NOT run it behind an authoritative server. Once your recursor is running independently, you can use the allow-from* settings in recursor.conf, or even packet level filtering (like iptables) to make sure you don’t respond to queries.
>
> Kind regards,
>





More information about the Pdns-users mailing list