Denying AXFR

Wesley Griffin wgriffin at
Mon Feb 14 19:36:45 UTC 2005

I'm trying to get NSD to deny AXFRs for the zones its serving. I'm compiling
--with-libwrap (although I think that's unnecessary as it looks like the
default is to go ahead and link with libwrap). This is with 2.2.0.

Anyway, I've tried a number of different combinations in /etc/hosts.allow
(and /etc/hosts.deny, although from reading hosts_options(5) on freebsd it
looks like hosts.deny has been deprecated) and I cannot get NSD to refuse

Here is what I've tried:

axfr : ALL : deny

/etc/hosts.allow: : ALL : deny
axfr : ALL : deny

axfr : : deny : ALL : deny
axfr : ALL : deny

None of which cause NSD to refuse AXFR from my localhost.
    % dig @localhost Axfr

I've also tried using /etc/hosts.deny per a 2003 message on this list:

axfr : ALL : deny

/etc/hosts.deny: : ALL : deny
axfr : ALL : deny

But nothing works. Anybody have a working example of denying all AXFRs?
Wesley Griffin <wgriffin at>

More information about the nsd-users mailing list