Restricting the Queries a Name Server Answers
7.12.1 Problem
You want to restrict the queries a name server answers.
7.12.2 Solution
Use the allow-query substatement to restrict the queries to which the name server responds. allow-query can be used as either an options substatement or a zone substatement. As an options substatement, it determines which addresses the name server will reply to for queries in any zone. Used as a zone substatement, allow-query controls which queriers can look up records in that zone, and overrides any eponymous options substatement.
This allow-query substatement allows only queriers (resolvers and name servers) on local networks to look up arbitrary domain names:
options { directory "/var/named"; allow-query { localnets; }; };
The localnets ACL is predefined by BIND as all of the networks to which the host that runs the name server is directly connected.
In the same named.conf file, this allow-query substatement allows anyone to look up domain names in the bar.example zone:
zone "bar.example" { type slave; masters { 10.0.0.1; }; file "bak.bar.example"; allow-query { any; }; };
This particular combination of allow-query substatements is useful on name servers that serve some group of local resolvers that you can identify by IP address, but also have one or more zones delegated to them.
You can also control which addresses are allowed to send recursive queries with the allow-recursion options substatement, supported in BIND 8.2.1 and later. Only queriers in the specified address match list will have their queries processed recursively; all other queries and treated as nonrecursive. For example:
options { directory "/var/named"; allow-recursion { localnets; }; };
7.12.3 Discussion
If you're faced with the choice of using multiple allow-query substatements or a single allow-recursion substatement to protect a name server from unauthorized queries, you should be aware of an important corner case: name servers authoritative for a zone that contains delegation may receive legitimate queries from remote name servers for data in subzones. The combination of allow-query options and zone substatements described earlier won't permit these queries, since the queries are received from nonlocal addresses for data outside of the name server's authoritative zones. allow-recursion works fine, though; you can permit recursive queries only from local networks and allow nonrecursive queries from anywhere.
Though you can specify TSIG keys with the allow-query substatement, there's usually not much point in doing so, since resolvers don't sign queries. Other name servers can, though.
7.12.4 See Also
"Restricting Queries" in Chapter 11 of DNS and BIND.