Maintained by: NLnet Labs

[Unbound-users] unbound refuses to respons non-recursive queries

Robert Edmonds
Thu May 19 19:15:36 CEST 2011


Paul Wouters wrote:
> On Thu, 19 May 2011, 刘明星:) wrote:
> 
> >send a non-recursive query to an unbound recursor and get a response with
> >rcode REFUSED while whithout RA set.
> >lthis is the following
> >query:
> >      dig +norecurse tianya.cn @unbound.recurse.ns
> 
> unbound is not an authoritative server. It should only see recursive queries.

RD bit cleared towards a recursive server is a cache snooping attempt.
cache snooping is not enabled by default in unbound.

   access-control: <IP netblock> <action>
      The netblock is given as an IP4 or IP6 address with /size appended
      for a classless network block. The action can be deny, refuse,
      allow or allow_snoop.
   [...]
      The  action  allow_snoop  gives nonrecursive access too.  This
      give both recursive and non recursive access.  The name
      allow_snoop refers to cache snooping, a  technique  to  use
      nonrecursive  queries to examine the cache contents (for malicious
      acts).  However, nonrecursive queries can also be a valuable
      debugging tool  (when you  want  to  examine  the cache contents).
      In that case use allow_snoop for your administration host.

-- 
Robert Edmonds
edmonds at debian.org