[dns-operations] Should medium-sized companies run their own recursive resolver?

Vernon Schryver vjs at rhyolite.com
Sat Oct 19 00:10:22 UTC 2013

> > done by now. it could have a slightly custom kernel that allowed the =
> > server to specify IP.TTL=3 in sendmsg().

It's been pointed out privately that no kernel hacking would be needed:

]  From the ip(7) manpage for Linux:
]    IP_TTL (since Linux 1.0)
]       Set or retrieve the current time-to-live field that is 
]       used  in every packet sent from this socket.

FreeBSD 9 and no doubt previous versions of the BSD code have:

}  setsockopt(s, IPPROTO_IP, IP_OPTIONS, NULL, 0);
}  IP_TOS and IP_TTL may be used to set the type-of-service and time-to-live
}  fields in the IP header for SOCK_STREAM, SOCK_DGRAM, and certain types of

That implies that every DNS server implementation with a reasonable
./configure script to check that IP_TTL or whatever is defined could
and I think should by default set IP.TTL=3 on sockets used to send
UDP responses.
If those system calls work on listen() sockets, you could also
easily limit TCP/DNS responses, but only for extra credit.
In BIND you might want to link the IP_TTL setting to the view,
which would add only a very small complication.

My mail logs say that I proposed to BIND honchos using the BSD
setsockopt(IP_TTL) in February.  I also wrote:

> it's occurred to me that a tiny IP TTL should be only (or maybe only
> by default) on responses with RD=1.

RD=1 as the trigger might simplify DNS server configuration issues.

My February mail logs also have words from someone unaffliated with
BIND on another mailing list about the idea.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list