Thanks!

I just thought I'd mention it in case someone does not know yet:

I found another option, a pair of options, actually:=20
additional-from-auth and
additional-from-cache.

To quote the BINDv9 ARM:
Specifying additional-from-cache no actually disables the use of the =
cache not only for additional data lookups but also when looking up the =
answer. This is usually the desired behavior in an authoritative-only =
server where the correctness of the cached data is an issue.

These options are described in the Bv9ARM, section 6.2.14.1

Kind regards,
Benjamin

> -----Urspr=FCngliche Nachricht-----
> Von: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org]Im
> Auftrag von Barry Margolin
> Gesendet am: Montag, 6. September 2004 16:39
> An: comp-protocols-dns-bind@isc.org
> Betreff: Re: AW: local DNS
>=20
> In article ,
> "Walkenhorst, Benjamin" wrote:
>=20
> > Hello,
> >=20
> > Is there any way to change this behavior without
> > modifying the source?=3D20
> > I mean, you can just turn off recursive queries, but does=20

> that leave =3D
> > any
> > chance for, say, a cache-poisoning attack?

>=20
> If you turn off recursion and fetch-glue, I don't think the=20
> nameserver=20
> should ever have a reason to send an outbound query.
>=20
> You could also block outbound port 53 on your router or firewall.
>=20
> --=20
> Barry Margolin, barmar@alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
>=20