[dns-operations] RCODE for bogon answers
Roy Arends
roy at dnss.ec
Mon Oct 15 08:45:21 UTC 2007
On Oct 9, 2007, at 2:33 AM, Sean Donelan wrote:
> Since its becominging more common to have more administrative controls
> on local name servers, such as bogon and name filters, what is the
> recommended RCODE for queries denied by policy filters?
>
> The obvious choice is RCODE=5 (Refused). But that seems to confuse
> a lot of clients.
Different type of responses have different effect.
There are, in general, three classes of responses, grouped by the
subsequent behaviour of clients receiving this response, and sorted
by effectiveness.
There is nxdomain/nodata. This response is an authoritative response
and will stop the client from questioning all the nameservers for
this particular name (nxdomain) and type (nodata) for the length of
the SOA minimum value. You'd either have to set up some kind of
"views" and discriminate on IP address, or simply configure your own
(possibly empty) zone for these domains.
There is SERVFAIL/root-referral/REFUSED. This response is considered
a temporary failure, and will cause clients to fallback to the next
nameserver.
The last class is blackhole, i.e. no response given at all. This has
the nasty side effect that clients will become more aggressive, and
you'll end up with more traffic.
Hope this helps.
Roy
More information about the dns-operations
mailing list