Hey all .... setting up 2 bind servers to replace some older ones, these we wish to allow recursion only to our local box's. That is setup and seems to be working well, but here is the question (it might be a flag, setting or just something I am missing )

options look as followed;

directory "/var/named";
zone-statistics yes;

notify no;
transfer-format many-answers;
max-transfer-time-in 60;
allow-recursion { ip_range/26; };


If I restart named on the box, goto a machine off (ip_range) and do a dig @newserver yahoo.com it gives me the list of root servers, and that will happen over and over. If I query that box with a machine on that iprange network dig @newserver yahoo.com I get the reply with the answers. If I jump back to the off network machine and query it again for yahoo, I get the answers this time (as opposed to the root servers)

Is there a way not to allow others to get responses for servers he is not authoritative for?

Thanks.

Edit/Delete Message

There is, but it is only on the very newest of newest versions of BIND, from 9.4.0 and on. Starting in 9.4.0, you can add "allow-query-cache" to the options, and specify the same /26 network. Now when something off the /26 asks for something in the cache, it will still be denied and pointed to the roots.

The behavior you saw is exactly what is supposed to happen.

Peace,
JimBass