Splitting of authoritative from recursive nameservers

2007-03-21 - News - Chris Thompson

Some minor changes have been made to the sample configuration for "stealth" slave nameservers on the CUDN at


Firstly, one of the MRC-CBU subnets was incorrectly omitted from the "camnets" ACL, and has been added.

Secondly, questions were asked about the setting of "forwarders" in the "options" statement, and so I have added some comments about that. We used to recommend its use, but have not done so for some time now, except in situations where the nameserver doing the forwarding does not have full access to the Internet. However, if query forwarding is used, it should always be to recursive nameservers, hence to and rather than to the authoritative but non-recursive nameservers at and

We are now logging all outgoing zone transfers from and, and will be contacting users who have not made the change to fetch from and instead, as time and effort permit. Help us by making the change before we get around to you!

We currently plan to lock down the recursive nameservers at and, so that they do not respond to queries from outside the CUDN and also do not allow zone transfers, during the first week of the Easter term (23-27 April). We will update you on this closer to the time.