<div class="gmail_quote">On Tue, Sep 11, 2012 at 1:12 PM, Chip Marshall <span dir="ltr"><<a href="mailto:chip@2bithacker.net" target="_blank">chip@2bithacker.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
It appears to always be ANY queries with recursion desired set,<br>
which well behaved recursors shouldn't be sending to<br>
authoritatives in the first place. We've used that to identify<br>
and block apparently source IPs.<br>
<span class="HOEnZb"></span><br></blockquote></div><br>Just did a dump of the raw packets and we are seeing the same thing. I also noticed a much lower number of non-ANY type packets, with the recursion bit set (which we answered) and then stumbled upon a yet smaller number of ICMP packets that then come back from the "answered" hosts indicating port not reachable. So clearly there is an additional (yet small) level of junk that could be filtered, perhaps solely based on the recusion bit.<br>
<br>Does anyone know if it is safe to drop all packets received with the recursion bit set on an authoritative server? Are there any instance where an authoritative server <i>should</i> respond to a query with this bit set? <br>
<br>Thanks,<br><br>-Rob<br><br>