Removing root zone hints for authoritative nameservers
Kevin Darcy
kcd at daimlerchrysler.com
Wed Feb 15 01:29:07 UTC 2006
Wiley Sanders wrote:
>Howdy all,
>
>I have just inherited the management of a couple of authoritative
>nameservers. We're authoritative for about 1000 zones, and we still
>have hints for the root zone, I guess since the beginning of time. I'm
>finding that 6 million of our 9 million queries per day are getting
>"referral" responses from our server, meaning we are sending the root
>zone data back in response to a query for a zone we aren't
>authoritative for. Presumably this is because someone out there has my
>servers in their resolv.conf?
>
>I tested a Solaris and a Linux resolver, and those resolvers cannot
>resolve zones that are not ours if I put our servers in the
>resolv.conf. Are there some resolvers out there, or forwarders, that
>might be set to our servers, and still be behaving correctly?
>
>ISC recommends "removing the root zone hints for authoritative-only
>nameservers" so clients receive a SERVFAIL instead of a referral. Has
>anyone done this and survived to tell the tale? Is there any possible
>reason why we would be getting and sending referral responses, other
>than client's misconfigurations?
>
>The real reason I ask is because we are thinking of outsourcing to
>UltraDNS or an equivalent. Unfortunately, UltraDNS bills for all
>queries, bogus or not. If we can somehow reduce the 75% of our queries
>that are bogus (we get an additional 15% or so queries that result in
>NXRRSET and NXDOMAIN responses) UltraDNS would be affordable.
>
>
I'm a little surprised that you'd be getting so many bogus queries. Most
reasonable resolvers will, as your testing indicated, fail a query
completely if a root-zone referral is received. When queries fail
completely, apps typically break, some human being usually notices, and
then the problem gets fixed. But presumably these clients either a) have
broken stub/forwarding resolvers that are failing over, to working
full-resolvers further down in their resolver list, in response to the
root-zone referrals, or b) are backroom/autopilot boxes and nobody even
realizes that DNS resolution has stopped working on them, or c) some
combination of the two. But 6 million queries a day? That seems rather
excessive, unless you at some point had open recursion and attracted a
large number of moochers (most of which probably moved on shortly after
you turned recursion off).
The bad news is, if these stub/forwarding resolvers are broken wrt
resolver-failover, or on autopilot, it probably won't make much
difference to start sending back SERVFAILs instead of root-zone
referrals. You can try it, but I'm not real confident it'll help your
situation significantly.
One other thing you might try, assuming most of this query traffic is
for website names, is setting up a root zone, with a wildcard A RR in it
pointing at some random website's address (or, if you're evil, some
purposely-chosen objectionable site like porn, hate group, whatever). In
the (a) case above, maybe that will stop the clients from failing over,
so that if those people ever want to go to any *other* website, they'll
need to reconfigure their stub/forwarding resolvers to point somewhere
other than your servers. It won't help the (b) case though; to fix that
category of clients, you'd probably need to go through the hassle of
migrating your nameservers to "fresh" IPs that no-one currently knows
about...
- Kevin
More information about the bind-users
mailing list