When you encounter a "status: REFUSED" response from your BIND9 nameserver for external queries while internal queries work fine, this typically indicates an access control or configuration issue. Let's break down the symptoms from your example:
; <<>> DiG 9.5.1-P2.1 <<>> @87.98.167.208 ungl.org
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 18787
;; flags: qr rd;
;; WARNING: recursion requested but not availableYour current named.conf.options shows several restrictive settings:
options {
listen-on { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
};This configuration only allows:
- DNS queries from localhost (127.0.0.1)
- Recursive queries from localhost
For a public authoritative nameserver, you should modify your configuration:
options {
directory "/var/cache/bind";
listen-on { any; };
listen-on-v6 { any; };
allow-query { any; };
recursion no;
auth-nxdomain no;
};Your zone file appears correct, but let's verify some key elements:
$ttl 38400
ungl.org. IN SOA r29901.ovh.net. mikey.aol.com. (
201003121
10800
3600
604800
38400 )
ungl.org. IN NS r29901.ovh.net.
ungl.org. IN NS ns.kimsufi.com.
ungl.org. IN A 188.165.34.72After making changes, always validate your configuration:
# named-checkconf
# named-checkzone ungl.org /etc/bind/ungl.org
# systemctl reload bind9Then verify with dig from an external server:
dig @your.nameserver.ip ungl.org +norecWhen opening up your nameserver, consider adding rate limiting:
options {
rate-limit {
responses-per-second 10;
window 5;
};
};Check your server's response with these diagnostic commands:
# dig +short ungl.org @127.0.0.1
# dig +trace ungl.org
# rndc statusRemember to monitor your logs for any issues after implementation:
# tail -f /var/log/syslog | grep namedWhen you encounter a status: REFUSED response from dig while querying an external nameserver, it typically indicates one of these scenarios:
- The nameserver is configured to refuse recursive queries from your IP
- The nameserver is not authoritative for the domain you're querying
- Firewall rules are blocking the DNS traffic
In your case, the key configuration elements to examine are:
options {
directory "/var/cache/bind";
auth-nxdomain no;
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
};The critical issue here is the listen-on and allow-recursion directives which restrict access to only localhost.
To allow external queries, you need to modify your BIND configuration:
options {
directory "/var/cache/bind";
auth-nxdomain no;
listen-on-v6 { any; };
listen-on { any; };
allow-recursion { any; };
allow-query { any; };
recursion yes;
};While the above solution works, it's important to implement proper security measures:
options {
// ... other options ...
allow-recursion {
127.0.0.1;
192.168.1.0/24; // Your local network
};
allow-query {
any;
};
allow-query-cache {
none;
};
};After making changes, verify with these commands:
# Check configuration syntax
named-checkconf
# Reload BIND
rndc reload
# Test with dig from external server
dig @your.nameserver.ip example.com +norecYour zone file looks correct, but consider these improvements:
$ttl 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
2023080101 ; serial
3600 ; refresh
900 ; retry
604800 ; expire
86400 ) ; minimum
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
@ IN A 192.0.2.1
www IN A 192.0.2.1Use these commands to monitor your DNS server:
# Check query statistics
rndc stats
# Dump cache for analysis
rndc dumpdb -cacheAfter all changes, verify with:
dig +trace example.com
dig @your.nameserver example.com +norec