It would be nice to add support for returning RCODE REFUSED instead of just SERVFAIL, when implementing ACLs using views.
A simple addition to modules/policy/policy.lua:
function policy.REFUSE(state, req) local answer = req.answer answer:rcode(kres.rcode.REFUSED) return kres.DONE end
allows this at the end of your config:
-- Refuse from all others view:addr('0.0.0.0/0', function (req, qry) return policy.REFUSE end) view:addr('::/0', function (req, qry) return policy.REFUSE end)
I have implemented this easily in a custom module, but I think it would be a simple and easy enhancement for the upstream. It allows us to mirror BIND behaviour where we have an ACL on the 'allow-recursion' option, which returns REFUSED when the client source address does not match the ACL.
also add this to modules/policy/README.rst:
* ``REFUSE`` - terminate query resolution and return REFUSED to the requestor