On Tue, 27 Jan 2009, Luis Silva wrote:
Hi all,
I'm having a question related to querying external servers that hope you
could answer me. I'm sending a iterative query for an external server and
the server is sending a referral answer but only with the authoritive name
servers. After that, i send a query A asking the nameservers ip addresses.
This A query is supposed to be a recursive query or must be a iterative one?
Is there a standard that talks about this? thanks in advance.
Kind regards,
Luis
My external NS is one that that does so by virtue of these named.conf
entries:
view "external" { // Primary nameserver for maplepark.com.
match-clients { any; };
recursion no;
additional-from-cache no;
// https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful
zone "maplepark.com"{
type master;
notify yes;
allow-transfer { slave-name-servers; };
file "/var/named/drf/external/maplepark.com.external.";
};
I do this because it then replies with a 28 byte message with only my
authoritative information (nothing) and does not then contribute to a DDoS
in an amplified reply to a request for the root servers ( . NS). If I
could, I would have it just not respond and let the attacker time out.
But that is not an option. At least I haven't found a way to do that.
A side effect of this config is that I don't send glue to legitimate
queries for my NS (just my authoritative information) but my secondaries
are easily found from the root servers. And if my NS is off-line, the
secondaries will be queried anyway. No information is returned for upward
referrals.
Dave Forrest
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
