[dns-operations] Survey of How to Solving DNS Errors

Mark Andrews marka at isc.org
Fri Aug 16 00:34:46 UTC 2024



> On 16 Aug 2024, at 06:40, Fred Morris <m3047 at m3047.net> wrote:
> 
> On Thu, 15 Aug 2024, Geoff Huston wrote:
>> 
>> As to "what can you do"? there have been a couple of responses to this:
>> 
> 
> If you run Response Policy Zones (and BIND) you can partially mitigate the impact of search lists on this at the recursive resolver by defining things like *.com.example and *.com.example.com as "CNAME ." and ensuring qname-wait-recurse is set to "no". (Probably best to look at your own traffic with wireshark and identify the low hanging fruit.)

This is a really BAD idea.  If you are seeing <dotted.name>.<search.list.element> the search list configuration is broken.  Partially qualified names are a security hazard.

> --
> 
> Fred Morris
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the dns-operations mailing list