[dns-operations] Getting rid of ISP's recursive DNS servers?(Was: Eircom "DNS Attacks" ?
Barber, Piet
pbarber at verisign.com
Mon Jul 20 18:32:08 UTC 2009
> The current root load consists mostly (90+%) of queries for which
> NXDOMAIN is the offered answer. Some clients do negative caching
> properly, some don't, so it's hard to quantify the benefit.
I would like to correct a minor point here:
Doing an analysis of the inbound DNS queries to our root server, I would
agree that 90% of them are useless and never should have gotten to the
root server in the first place. However, of that 90% of useless
queries, not all of them result in an NXDOMAIN response from the root
server. At this very moment, A.root-servers.net is answering about 1 in
every 4 queries with an NXDOMAIN response, (instead of 9 in 10).
( Thank you _LDAP._TCP., .WPAD, .local and .localhost )
A quick look back to the data reports on this day 5 years ago reveals
about the same ratio of NXDOMAINs for every query that we received.
In our research for a root traffic and negative caching and such, it
wasn't always a failure of NXDOMAIN that caused a re-query, but instead,
a failure of different sorts. RFC 4697, written a few years ago, still
holds true for most of the junk-queries we get, especially those name
servers stuck behind an improperly-configured ACL or firewall that won't
let the answers get back to iterative resolver sending us the queries in
the first place.
More information about the dns-operations
mailing list