[dns-operations] Should medium-sized companies run their own recursive resolver?

Mark Andrews marka at isc.org
Sat Oct 19 02:35:38 UTC 2013 

In message <201310190010.r9J0AMoH094627 at calcite.rhyolite.com>, Vernon Schryver 
writes:
> > > done by now. it could have a slightly custom kernel that allowed the =
> > > server to specify IP.TTL=3 in sendmsg().
> 
> 
> It's been pointed out privately that no kernel hacking would be needed:
> 
> ]  From the ip(7) manpage for Linux:
> ] 
> ]    IP_TTL (since Linux 1.0)
> ]       Set or retrieve the current time-to-live field that is 
> ]       used  in every packet sent from this socket.
> 
> FreeBSD 9 and no doubt previous versions of the BSD code have:
> 
> }  setsockopt(s, IPPROTO_IP, IP_OPTIONS, NULL, 0);
> }
> }  IP_TOS and IP_TTL may be used to set the type-of-service and time-to-live
> }  fields in the IP header for SOCK_STREAM, SOCK_DGRAM, and certain types of
> 
> That implies that every DNS server implementation with a reasonable
> ./configure script to check that IP_TTL or whatever is defined could
> and I think should by default set IP.TTL=3 on sockets used to send
> UDP responses.
> If those system calls work on listen() sockets, you could also
> easily limit TCP/DNS responses, but only for extra credit.
> In BIND you might want to link the IP_TTL setting to the view,
> which would add only a very small complication.
> 
> My mail logs say that I proposed to BIND honchos using the BSD
> setsockopt(IP_TTL) in February.  I also wrote:
> 
> > it's occurred to me that a tiny IP TTL should be only (or maybe only
> > by default) on responses with RD=1.
> 
> RD=1 as the trigger might simplify DNS server configuration issues.
> 
> 
> My February mail logs also have words from someone unaffliated with
> BIND on another mailing list about the idea.

Actually a better criteria is "would you set" RA in the response.

> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list