gypsy wrote:
GrantC wrote:
On Thu, 17 Feb 2005 17:15:56 +0200, you wrote:
Greetings ...
I have read in the mail list archive what a "refused to do a recursive
query" is, but I'm lost.
I think that either I have miss configured my installations of dnsmasq
or I have a big problem with my network.
I'm currently getting 100MB worth of DNS traffic a day, this might be
because I'm using anti-spam DNS stuff, but I'm also getting about 20738
of these warning ...
Could I ask for some help to fix this.
The biggest offender IMHO is the ban by spam filters doing
reverse lookups for each hit on the machine -- try a different
approach: kill each nn.nn.nn.nn/24 IP block that sources spam
in the firewall -- I imagine it wouldn't take long to have your
very own reject set that will immensely reduce DNS traffic.
Then whitelist 'collateral damage' IPs, if any. Worth a try?
How soon will it be that DNS operators refuse or limit services
to sites that overload them? Perhaps that is happening now?
Cheers,
Grant.
I'd like to add 2 ideas to the above.
1) Add a DNS server to your list that you are sure DOES allow
recursive. I won't make any promises, but I'm successful with these:
207.171.0.10
207.178.128.20
68.65.16.162
while
206.72.64.70 gives that message.
2) http://ip.ludost.net/
from which I obtained some valuable rules for iptables.
--
gypsy
I'll limit the warnings to one per upstream nameserver in the next
dnsmasq release. It doesn't make sense to spam logs withe same message
over and over again....
Cheers,
Simon.
