DNS REFUSED Response – What RFC Encourages DNS Servers to Reply REFUSED to Queries for Unknown Domains?

binddns-zonedomain-name-system

This question is very very similar to RFC that requires DNS servers to respond to unknown domain requests but I figured I ought to ask it as a new question.

It appears that it is standard practice for an authoritative DNS server to respond with rcode REFUSED to any query for a domain name for which the server is not authoritative. For example:

$ dig @ns1.google.com yahoo.com A | grep status
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53533

There are a few alternative behaviors that could make sense here, a priori:

  • Blackhole the query entirely
  • Return a non-authoritative NXDOMAIN response
  • Return a non-authoritative NOERROR response (this is silly, but I mention it for completeness)
  • Return a canned referral to the root nameservers (this is even sillier)

Is there an RFC or similar document that says "thou shalt return REFUSED in this case"?

I'd expect to see some discussion of this situation in RFC 1034 section 4.3.1 and 4.3.2, but I don't.

Best Answer

It's simple really, RFC1035 Section 4.1.1 RCODE 5 

Refused - The name server refuses to perform the specified operation 
for policy reasons.  For example, a name server may not wish to
provide the information to the particular requester, or a name server 
may not wish to perform a particular operation (e.g., zone transfer) 
for particular data.

The administrators of the system have decided to configure their system to return a REFUSED response rather than do anything else.

Related Topic