[dns-operations] sophosxl.net problem?

James Stevens dns at jrcs.net
Tue Nov 12 12:53:18 UTC 2019

Health-checks (e.g. pingdom etc) with RD=1 seem pretty common.

Really you want to health-check authoritative-only servers respond when 
RD=0 and the response has AA=1, otherwise you might just be hitting a 
resolver, but I guess that's beyond what most of those services provide.

I catch the RD=1 in iptables using m32 and throttle it to (say) 20 per 
second to get round this issue - cos I'm also one of those who keep 
forgetting to add "+norec" to dig :)

Apart from health-checks & dig, most of the RD=1 traffic I get to my 
auth-only servers seems to come from malware, spammers etc - e.g. same 
IP asking the same question 100s of times.


On 12/11/2019 12:29, Tony Finch wrote:
> James Stevens <js at jrcs.net> wrote:
>> Would it be reasonable for an authoritative-only DNS Server to reject / ignore
>> / throttle requests with RD=1 ?
> I think for quite a long time my toy DNS server (which runs with an
> appalling hodge-podge of patches) was running with a config something
> like...
> view rec {
> 	match-recursive-only yes;
> 	# stuff
> };
> view auth {
> 	recursion no;
> 	allow-recursion { none; };
> 	zone dotat.at { /* ... */ );
> 	# etc.
> };
> The effect was that recursive queries went to the rec view then got
> rejected by an ACL; RD=0 queries went to the auth view which served my
> zone to all comers. The only problem I noticed was RD=1 health checks from
> one of my secondaries. My config now has a match-clients clause in the rec
> view which works better all round.
> Tony.

More information about the dns-operations mailing list