[dns-operations] blocking recursers
JP Velders
jpv at veldersjes.net
Sun Mar 26 00:07:40 UTC 2006
> Date: Sat, 25 Mar 2006 13:52:27 -1000
> From: Randy Bush <randy at psg.com>
> Subject: Re: [dns-operations] blocking recursers
> [ ... ]
> to be clear, do you mean
> o issue a query for which the server might have an
> authoritative answer
> o see if that answer has the ra bit turned on?
Apart from looking at the answer, the more "simple" technical
convoluted solution would be to have a zone somewhere that you
control (logs!), that won't be in cache, and query for that.
Having your nameserver spit "random" stuff back, or something you can
correllate back in your logs to a specific time/ip would make it a
"foolproof" check, as in, you'd be able to determine if it's an ORN
all by itself, or part of a multi-hop one... Simple TXT record would
suffice, but don't know readily of a daemon which feature something
like that.
> does all software know not to turn the ra bit on when the
> query comes from a source address which is not in its list
> of addresses for which it will do recursion?
Trusting or looking at the bits would be akin to trusting somebody on
the blueness of their eyes. Now if they'd have freckles, smile cutely
and make me melt, it'd probably work, however, I haven't found a
nameserver which does that yet... ;)
> randy
Kind regards,
JP Velders
More information about the dns-operations
mailing list