REFUSED — Recursive Query to Authoritative-Only Server
症状
- `dig @ns1.example.com google.com` returns `status: REFUSED`
- Queries for the server's own zones succeed; queries for external domains fail
- Some monitoring tools report the nameserver as 'not responding' or 'timed out'
- Split-horizon DNS queries from an external IP receive REFUSED while internal IPs succeed
- `drill` or `kdig` show `RCODE: REFUSED` with an empty ANSWER section
- Queries for the server's own zones succeed; queries for external domains fail
- Some monitoring tools report the nameserver as 'not responding' or 'timed out'
- Split-horizon DNS queries from an external IP receive REFUSED while internal IPs succeed
- `drill` or `kdig` show `RCODE: REFUSED` with an empty ANSWER section
根本原因
- Authoritative-only DNS server receiving recursive queries it is not configured to answer
- DNS server access control list (ACL) blocking queries from your IP or subnet
- DNS server configured with allow-recursion { none; } in BIND named.conf
- Split-horizon DNS server refusing queries that do not match its internal/external view rules
- Per-IP rate limiting on the DNS server triggered by too-frequent automated queries
诊断
**Step 1 — Identify whether the server is authoritative-only**
```bash
# Check if the server is listed as authoritative for the domain
dig example.com NS +short
# If ns1.example.com appears, it is authoritative for example.com
# Now query it for an external domain — REFUSED confirms authoritative-only
dig @ns1.example.com google.com A
# status: REFUSED = server will not recurse for external queries
```
**Step 2 — Distinguish REFUSED from network filtering**
```bash
# REFUSED = server replied; firewall block = no reply (timeout)
# Time the query:
time dig @ns1.example.com example.com A
# < 1s with REFUSED = server replied
# > 5s with no answer = packet dropped by firewall
# Test both UDP and TCP:
dig @ns1.example.com example.com A +tcp
```
**Step 3 — Check BIND ACL configuration**
```bash
# On the DNS server (if you have access):
sudo named-checkconf /etc/named.conf
grep -A5 'allow-recursion\|allow-query\|acl' /etc/named.conf
# Look for:
# allow-recursion { none; }; → no recursion for anyone
# allow-query { localnets; }; → only local IPs allowed
```
**Step 4 — Identify which resolver to use instead**
```bash
# Use a public recursive resolver for external queries:
dig @8.8.8.8 external-domain.com A # Google Public DNS
dig @1.1.1.1 external-domain.com A # Cloudflare
dig @9.9.9.9 external-domain.com A # Quad9
# Query your own domain against the authoritative NS (correct use):
dig @ns1.example.com example.com A
```
**Step 5 — Check rate limiting (if queries for own zones also fail)**
```bash
# BIND Response Rate Limiting (RRL) in named.conf:
grep -A10 'rate-limit' /etc/named.conf
# Reduce query frequency or whitelist your monitoring IP in the per-ip-limit section
```
```bash
# Check if the server is listed as authoritative for the domain
dig example.com NS +short
# If ns1.example.com appears, it is authoritative for example.com
# Now query it for an external domain — REFUSED confirms authoritative-only
dig @ns1.example.com google.com A
# status: REFUSED = server will not recurse for external queries
```
**Step 2 — Distinguish REFUSED from network filtering**
```bash
# REFUSED = server replied; firewall block = no reply (timeout)
# Time the query:
time dig @ns1.example.com example.com A
# < 1s with REFUSED = server replied
# > 5s with no answer = packet dropped by firewall
# Test both UDP and TCP:
dig @ns1.example.com example.com A +tcp
```
**Step 3 — Check BIND ACL configuration**
```bash
# On the DNS server (if you have access):
sudo named-checkconf /etc/named.conf
grep -A5 'allow-recursion\|allow-query\|acl' /etc/named.conf
# Look for:
# allow-recursion { none; }; → no recursion for anyone
# allow-query { localnets; }; → only local IPs allowed
```
**Step 4 — Identify which resolver to use instead**
```bash
# Use a public recursive resolver for external queries:
dig @8.8.8.8 external-domain.com A # Google Public DNS
dig @1.1.1.1 external-domain.com A # Cloudflare
dig @9.9.9.9 external-domain.com A # Quad9
# Query your own domain against the authoritative NS (correct use):
dig @ns1.example.com example.com A
```
**Step 5 — Check rate limiting (if queries for own zones also fail)**
```bash
# BIND Response Rate Limiting (RRL) in named.conf:
grep -A10 'rate-limit' /etc/named.conf
# Reduce query frequency or whitelist your monitoring IP in the per-ip-limit section
```
解决
**Fix 1 — Use a recursive resolver for non-authoritative queries**
Route external DNS queries to a public recursive resolver rather than the authoritative-only server:
```bash
# Update /etc/resolv.conf or systemd-resolved:
echo 'nameserver 8.8.8.8' | sudo tee /etc/resolv.conf
echo 'nameserver 1.1.1.1' >> /etc/resolv.conf
# Or using systemd-resolved:
sudo systemd-resolve --set-dns=8.8.8.8 --interface=eth0
```
**Fix 2 — Enable recursion for trusted subnets (BIND)**
```named
# /etc/named.conf — allow recursion for internal networks only
acl trusted {
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/12;
localhost;
};
options {
allow-recursion { trusted; };
allow-query { any; }; # authoritative queries
recursion yes;
};
```
```bash
sudo named-checkconf && sudo systemctl reload named
```
**Fix 3 — Open ACL to your monitoring or application IP**
```named
# /etc/named.conf — add your app server IP to the trusted ACL
acl trusted {
10.0.0.0/8;
203.0.113.50; # application server IP
};
```
**Fix 4 — Adjust rate limiting thresholds**
```named
# /etc/named.conf — raise RRL limits or exclude monitoring IPs
rate-limit {
responses-per-second 50;
exempt-clients { 203.0.113.0/24; }; # monitoring subnet
};
```
Route external DNS queries to a public recursive resolver rather than the authoritative-only server:
```bash
# Update /etc/resolv.conf or systemd-resolved:
echo 'nameserver 8.8.8.8' | sudo tee /etc/resolv.conf
echo 'nameserver 1.1.1.1' >> /etc/resolv.conf
# Or using systemd-resolved:
sudo systemd-resolve --set-dns=8.8.8.8 --interface=eth0
```
**Fix 2 — Enable recursion for trusted subnets (BIND)**
```named
# /etc/named.conf — allow recursion for internal networks only
acl trusted {
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/12;
localhost;
};
options {
allow-recursion { trusted; };
allow-query { any; }; # authoritative queries
recursion yes;
};
```
```bash
sudo named-checkconf && sudo systemctl reload named
```
**Fix 3 — Open ACL to your monitoring or application IP**
```named
# /etc/named.conf — add your app server IP to the trusted ACL
acl trusted {
10.0.0.0/8;
203.0.113.50; # application server IP
};
```
**Fix 4 — Adjust rate limiting thresholds**
```named
# /etc/named.conf — raise RRL limits or exclude monitoring IPs
rate-limit {
responses-per-second 50;
exempt-clients { 203.0.113.0/24; }; # monitoring subnet
};
```
预防
- Never configure your authoritative nameservers as resolvers in application `/etc/resolv.conf`
- Use separate infrastructure for recursive (internal) and authoritative (external) DNS
- Document ACL rules and IP ranges in your DNS configuration with comments
- Test DNS behavior from your application server's IP before deploying to production
- Set up monitoring that queries your authoritative NS for your own zones only
- Use separate infrastructure for recursive (internal) and authoritative (external) DNS
- Document ACL rules and IP ranges in your DNS configuration with comments
- Test DNS behavior from your application server's IP before deploying to production
- Set up monitoring that queries your authoritative NS for your own zones only