Thus said Daniel Fussell on Thu, 23 Jan 2014 13:16:19 -0700: > The root zones seems to have it bad as they can't disable recursion, > and I suspect they are filtering based on query type and queried zone.
It isn't really relevant for the root servers. They don't perform recursion, and any query that does come in with the RD bit set will simply be answered from the root zone database with a delegation to the NS that is authoritative for whatever TLD is in question (because it is appropriate for a root server to respond all queries given that they are *root*). e.g. If I ask c.root-servers.net for A www.google.com with the RD bit set, it ignores the recursion request and simply returns an iterative response to one of the gTLD servers. Similarly, if I ask it for a domain that isn't part of any known TLD, it will not honor the RD bit, but instead return an authoritative NXDOMAIN for the query. In either case, the fact the RD was set in the request is irrelevant because the root servers, by virtue of the fact that they are root, are expected to respond to all queries with either NXDOMAIN or a delegation to the correct NS. Your remaining problem stems not from the fact that you have recursion per se, but rather from the fact that you are running recursive and iterative servers on the same IP. As I indicated before, separating your recursive resolvers from your iterative resolvers is highly recommended both from a segregation point of view and also security. You should not expect to receive DNS queries against your iterative resolvers except for DNS zones that have been delegated to them. Any other requests are either malicious, a probe for vulnerabilities (whitehat/blackhat), or are due to a misconfiguration somewhere. This makes blocking attacks much easier (e.g. you can safely block any packets with the RD bit set that are destined for your iterative servers). Andy -- TAI64 timestamp: 4000000052e1e9aa /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
