[dns-operations] DNS deluge for x.p.ctrc.cc

Doug Barton dougb at dougbarton.us
Sun Feb 26 18:31:23 UTC 2006

william(at)elan.net wrote:
> [Now asking from software engineering perspective... and if this is not 
> right list for it - suggest which one would be]
> What is a correct way to verify if dns server is recursive from your 
> resolver?

The metric I usually use is the RA bit set in a reply.

> Is asking info on your own domain from remote nameserver ok
> for it?

It would probably be polite to make the request about a domain you're
responsible for, in case the query is successful, however, depending on your
purposes; a response of SERVFAIL for your domain, but with the RA bit set,
might still be considered a positive.

> What timeout should be used to decide that there was no answer?

Again, depends on your purposes. If you're looking to make a list of open
resolvers that would be useful to attackers, I would think that a fairly
short timeout would be appropriate.

> And BTW - what is correct way to deal with queries at the dns server side?
> Lets assume we want appropriate security applied and have dns server only 
> answer regarding netzones it serves or on behalf of clients on pre-set 
> (local) network. If query comes in for non-served zone from remote net, 
> should dns server simply ignore the query and not send any answer?

Assuming I understand your question, I reject your premise. :) I have always
held strongly to the opinion that iterative resolver functions and
authoritative name server functions should be split into separate daemons
(even if both are running the same software). I then apply both a network
filter and named.conf acls to prevent unauthorized access to the resolver.
However, since you're looking for an actual answer to your question, sending
a referral back to the client is polite. This leads to the question of
whether to always provide a referral to the roots, or if you should give
more specific information if you know it. Which is yet another reason why I
don't like to mix those two functions.



    If you're never wrong, you're not trying hard enough

More information about the dns-operations mailing list