Moderator, or anyone else, I got two important questions please. Well, at least important to me.

1. Does a reply message get sent back to the requester about the denial or rejection? I refer to when there is a "named[21729]: client 9.10.11.12#39948: query (cache) './ANY/IN' denied", then is there also an associated reply sent back by the queried dns server to the machine that is doing the querying?

2. What does the "'./ANY/IN'" mean, or what is the query being done on? There is no domain name indicated, and so what is being queried when just a dot "."?

1. Of course. The client gets a REFUSED answer
2. Means that the client asks for the . (hint) zone

PS. Since you're new here, next time start a new thread instead of hijacking another one's thread

Regards

Thanks for the reply.

1. Sorry, but no, I don't believe it is a "of course". While I was waiting, I did two minor tests. A REFUSED message getting sent back depends on the version of bind installed. A little older version in fact simply did not reply, or maybe it is the settings. The client message display upon query was definitely different. One was REFUSED, as you indicated, and the other was a No Response.

So, this brings me to the question.
Is there a way to configure the DNS to not send a reply back of REFUSED?
I again reference the same data sample posted above by the user that started the post.

2. Okay, I thought it maybe something like. So in his example, it is asking for the root list. I confirmed this is how it is indicated in a DNS bind/named configuration file. He has properly disabled recursive. Does it make sense for him to not provide out hints either? If yes, how?

3. If the recursive was only limited to his localnet, then what effect would adding "additional-from-cache no;" into his configuration file accomplish, or bad idea, and why?

Again, the question is for anyone that wishes to reply.

That in essence would a violation of the protocol IMHO. True, inference, but it would be like denying the OpenSSH daemon to send version information required for handshaking or denying Apache to send back 404s. Not signalling a client means it does not receive any hints to back off.


IIGC hints are either supplied or not supplied. When they're not supplied ISC BIND uses built-in ones and only at startup to select and query one of the root servers for the current root server nfo. Not supplying hints means a client has no means to find out the root servers and continue its query there. That would only make sense inside a completely isolated network.


Better see something like http://www.zytrax.com/books/dns/ch7/queries.html