[dns-operations] blocking recursers

Paul Vixie paul at vix.com
Mon Mar 27 15:02:34 UTC 2006


# > ask an RD=1 question about a nonexistent name in the root zone.  if you
# > get back NXDOMAIN it answered you recursively.  if you get back a referral
# 
# ... or is running their own copy of the root zone, which some people do
# e.g. to be good netizens. Better use a name in a zone you control (and are
# confident nobody runs a stealth slave for).

sure.  that's what dan kaminsky describes in his recent dns show&tell's.
this technique also lets one learn if a nameserver's initiation address
is different from its listener address, which is sometimes useful to know.



More information about the dns-operations mailing list