[dns-operations] blocking recursers

JP Velders jpv at veldersjes.net
Sun Mar 26 00:07:40 UTC 2006

> Date: Sat, 25 Mar 2006 13:52:27 -1000
> From: Randy Bush <randy at psg.com>
> Subject: Re: [dns-operations] blocking recursers

> [ ... ]
> to be clear, do you mean
>   o issue a query for which the server might have an
>     authoritative answer
>   o see if that answer has the ra bit turned on?

Apart from looking at the answer, the more "simple" technical 
convoluted solution would be to have a zone somewhere that you 
control (logs!), that won't be in cache, and query for that.

Having your nameserver spit "random" stuff back, or something you can 
correllate back in your logs to a specific time/ip would make it a 
"foolproof" check, as in, you'd be able to determine if it's an ORN 
all by itself, or part of a multi-hop one... Simple TXT record would 
suffice, but don't know readily of a daemon which feature something 
like that.

> does all software know not to turn the ra bit on when the
> query comes from a source address which is not in its list
> of addresses for which it will do recursion?

Trusting or looking at the bits would be akin to trusting somebody on 
the blueness of their eyes. Now if they'd have freckles, smile cutely 
and make me melt, it'd probably work, however, I haven't found a 
nameserver which does that yet... ;)

> randy

Kind regards,
JP Velders

More information about the dns-operations mailing list