[dns-operations] DNS deluge for x.p.ctrc.cc
dougb at dougbarton.us
Sun Feb 26 18:31:23 UTC 2006
> [Now asking from software engineering perspective... and if this is not
> right list for it - suggest which one would be]
> What is a correct way to verify if dns server is recursive from your
The metric I usually use is the RA bit set in a reply.
> Is asking info on your own domain from remote nameserver ok
> for it?
It would probably be polite to make the request about a domain you're
responsible for, in case the query is successful, however, depending on your
purposes; a response of SERVFAIL for your domain, but with the RA bit set,
might still be considered a positive.
> What timeout should be used to decide that there was no answer?
Again, depends on your purposes. If you're looking to make a list of open
resolvers that would be useful to attackers, I would think that a fairly
short timeout would be appropriate.
> And BTW - what is correct way to deal with queries at the dns server side?
> Lets assume we want appropriate security applied and have dns server only
> answer regarding netzones it serves or on behalf of clients on pre-set
> (local) network. If query comes in for non-served zone from remote net,
> should dns server simply ignore the query and not send any answer?
Assuming I understand your question, I reject your premise. :) I have always
held strongly to the opinion that iterative resolver functions and
authoritative name server functions should be split into separate daemons
(even if both are running the same software). I then apply both a network
filter and named.conf acls to prevent unauthorized access to the resolver.
However, since you're looking for an actual answer to your question, sending
a referral back to the client is polite. This leads to the question of
whether to always provide a referral to the roots, or if you should give
more specific information if you know it. Which is yet another reason why I
don't like to mix those two functions.
If you're never wrong, you're not trying hard enough
More information about the dns-operations