[dns-operations] DNS deluge for x.p.ctrc.cc

Peter Koch pk at DENIC.DE
Sun Feb 26 22:36:20 UTC 2006


On Sun, Feb 26, 2006 at 09:23:23AM -0800, william(at)elan.net wrote:

> What is a correct way to verify if dns server is recursive from your 

looking at the "ra" bit is not enough, since some servers allow "local
recursion" and might be fed the amplifying data by other means than a
recursive query.

> And BTW - what is correct way to deal with queries at the dns server side?
[...]
> should dns server simply ignore the query and not send any answer?

Before taking drastic measures it should be understood what the side effects
are. "questions for non served zones" may be a consequence of lame delegations
and just not sending a response might make the resolver on the other side
believe that the server is indeed unavailable.

I'd like to see a survey of current or potential responses to "out of area"
queries, i.e. queries for names outside of those zones served by the auth
server. Here's a start:

o "root referral"
  some systems respond with a referral to the closest zone they know about,
  which is "." If all else fails. Given that a root referral is not small
  (around 230 octets) and that the resolver will probably not follow this
  "upward" referral anyway, this is probably not the best response.

o SERVFAIL

o REFUSED

o silence

Personally I'd prefer REFUSED because that shows clear intent, keeps the
response small and should not interfere with normal operations in case
of lame delegations.

It would also be possible to treat recursive and non-recursive queries
differently, but "not all recursive queries are evil". Although it's
practice for the full resolver to issue queries with rd==0, that's
not explicitly standardized and live data shows that a non-negligible amount
of queries to auth servers has rd==1.

-Peter



More information about the dns-operations mailing list