Removing root zone hints for authoritative nameservers

Kevin Darcy kcd at daimlerchrysler.com
Wed Feb 15 01:29:07 UTC 2006 

Wiley Sanders wrote:

>Howdy all,
>
>I have just inherited the management of a couple of authoritative
>nameservers. We're authoritative for about 1000 zones, and we still
>have hints for the root zone, I guess since the beginning of time. I'm
>finding that 6 million of our 9 million queries per day are getting
>"referral" responses from our server, meaning we are sending the root
>zone data back in response to a query for a zone we aren't
>authoritative for. Presumably this is because someone out there has my
>servers in their resolv.conf?
>
>I tested a Solaris and a Linux resolver, and those resolvers cannot
>resolve zones that are not ours if I put our servers in the
>resolv.conf. Are there some resolvers out there, or forwarders, that
>might be set to our servers, and still be behaving correctly?
>
>ISC recommends "removing the root zone hints for authoritative-only
>nameservers" so clients receive a SERVFAIL instead of a referral. Has
>anyone done this and survived to tell the tale? Is there any possible
>reason why we would be getting and sending referral responses, other
>than client's misconfigurations?
>
>The real reason I ask is because we are thinking of outsourcing to
>UltraDNS or an equivalent. Unfortunately, UltraDNS bills for all
>queries, bogus or not. If we can somehow reduce the 75% of our queries
>that are bogus (we get an additional 15% or so queries that result in
>NXRRSET and NXDOMAIN responses) UltraDNS would be affordable.
>  
>
I'm a little surprised that you'd be getting so many bogus queries. Most 
reasonable resolvers will, as your testing indicated, fail a query 
completely if a root-zone referral is received. When queries fail 
completely, apps typically break, some human being usually notices, and 
then the problem gets fixed. But presumably these clients either a) have 
broken stub/forwarding resolvers that are failing over, to working 
full-resolvers further down in their resolver list, in response to the 
root-zone referrals, or b) are backroom/autopilot boxes and nobody even 
realizes that DNS resolution has stopped working on them, or c) some 
combination of the two. But 6 million queries a day? That seems rather 
excessive, unless you at some point had open recursion and attracted a 
large number of moochers (most of which probably moved on shortly after 
you turned recursion off).

The bad news is, if these stub/forwarding resolvers are broken wrt 
resolver-failover, or on autopilot, it probably won't make much 
difference to start sending back SERVFAILs instead of root-zone 
referrals. You can try it, but I'm not real confident it'll help your 
situation significantly.

One other thing you might try, assuming most of this query traffic is 
for website names, is setting up a root zone, with a wildcard A RR in it 
pointing at some random website's address (or, if you're evil, some 
purposely-chosen objectionable site like porn, hate group, whatever). In 
the (a) case above, maybe that will stop the clients from failing over, 
so that if those people ever want to go to any *other* website, they'll 
need to reconfigure their stub/forwarding resolvers to point somewhere 
other than your servers. It won't help the (b) case though; to fix that 
category of clients, you'd probably need to go through the hassle of 
migrating your nameservers to "fresh" IPs that no-one currently knows 
about...

                                                                         
                                                      - Kevin

More information about the bind-users mailing list