[dns-operations] sophosxl.net problem?
James Stevens
dns at jrcs.net
Tue Nov 12 12:53:18 UTC 2019
Health-checks (e.g. pingdom etc) with RD=1 seem pretty common.
Really you want to health-check authoritative-only servers respond when
RD=0 and the response has AA=1, otherwise you might just be hitting a
resolver, but I guess that's beyond what most of those services provide.
I catch the RD=1 in iptables using m32 and throttle it to (say) 20 per
second to get round this issue - cos I'm also one of those who keep
forgetting to add "+norec" to dig :)
Apart from health-checks & dig, most of the RD=1 traffic I get to my
auth-only servers seems to come from malware, spammers etc - e.g. same
IP asking the same question 100s of times.
James
On 12/11/2019 12:29, Tony Finch wrote:
> James Stevens <js at jrcs.net> wrote:
>>
>> Would it be reasonable for an authoritative-only DNS Server to reject / ignore
>> / throttle requests with RD=1 ?
>
> I think for quite a long time my toy DNS server (which runs with an
> appalling hodge-podge of patches) was running with a config something
> like...
>
> view rec {
> match-recursive-only yes;
> # stuff
> };
> view auth {
> recursion no;
> allow-recursion { none; };
> zone dotat.at { /* ... */ );
> # etc.
> };
>
> The effect was that recursive queries went to the rec view then got
> rejected by an ACL; RD=0 queries went to the auth view which served my
> zone to all comers. The only problem I noticed was RD=1 health checks from
> one of my secondaries. My config now has a match-clients clause in the rec
> view which works better all round.
>
> Tony.
>
More information about the dns-operations
mailing list