[dns-operations] RCODE for bogon answers

Roy Arends roy at dnss.ec
Mon Oct 15 08:45:21 UTC 2007

On Oct 9, 2007, at 2:33 AM, Sean Donelan wrote:

> Since its becominging more common to have more administrative controls
> on local name servers, such as bogon and name filters, what is the
> recommended RCODE for queries denied by policy filters?
> The obvious choice is RCODE=5 (Refused).  But that seems to confuse
> a lot of clients.

Different type of responses have different effect.

There are, in general, three classes of responses, grouped by the  
subsequent behaviour of clients receiving this response, and sorted  
by effectiveness.

There is nxdomain/nodata. This response is an authoritative response  
and will stop the client from questioning all the nameservers for  
this particular name (nxdomain) and type (nodata) for the length of  
the SOA minimum value. You'd either have to set up some kind of  
"views" and discriminate on IP address, or simply configure your own  
(possibly empty) zone for these domains.

There is SERVFAIL/root-referral/REFUSED. This response is considered  
a temporary failure, and will cause clients to fallback to the next  

The last class is blackhole, i.e. no response given at all. This has  
the nasty side effect that clients will become more aggressive, and  
you'll end up with more traffic.

Hope this helps.


More information about the dns-operations mailing list