[dns-operations] Getting rid of ISP's recursive DNS servers?(Was: Eircom "DNS Attacks" ?

Barber, Piet pbarber at verisign.com
Mon Jul 20 18:32:08 UTC 2009

> The current root load consists mostly (90+%) of queries for which
> NXDOMAIN is the offered answer. Some clients do negative caching
> properly, some don't, so it's hard to quantify the benefit.

I would like to correct a minor point here: 

Doing an analysis of the inbound DNS queries to our root server, I would
agree that 90% of them are useless and never should have gotten to the
root server in the first place.   However, of that 90% of useless
queries, not all of them result in an NXDOMAIN response from the root
server.  At this very moment, A.root-servers.net is answering about 1 in
every 4 queries with an NXDOMAIN response, (instead of 9 in 10).   

( Thank you _LDAP._TCP., .WPAD, .local and .localhost )

A quick look back to the data reports on this day 5 years ago reveals
about the same ratio of NXDOMAINs for every query that we received. 

In our research for a root traffic and negative caching and such, it
wasn't always a failure of NXDOMAIN that caused a re-query, but instead,
a failure of different sorts.  RFC 4697, written a few years ago, still
holds true for most of the junk-queries we get, especially those name
servers stuck behind an improperly-configured ACL or firewall that won't
let the answers get back to iterative resolver sending us the queries in
the first place. 

More information about the dns-operations mailing list