Where is the open recursion test?

Gregory Hicks ghicks at hicks-net.net
Mon Dec 15 11:07:10 UTC 2008 

> Date: Mon, 15 Dec 2008 11:52:01 +0100
> From: Peter Dambier <peter at peter-dambier.de>
> To: bind-users at lists.isc.org
> Subject: Re: Where is the open recursion test?
> X-FuHaFi: 0.62
> 
> just try
> 
> dig -t any peter-dambier.de @<your-server>
> 
> If it tells you something about denic it is not recursive.
> If you get the complete answer it is very likely recursive.
> 
> Something internal could have triggered the query but only
> if your server is in /etc/resolv.conf.

Peter:

Thanks!  I ran that and got a full response back.  Then I remembered
that you cannot check on recursiveness from a trusted interface...

I went to my ISP (alt email provider) and ran

well% dig -t any peter-dambier.de @64.139.55.108

; <<>> DiG 2.0 <<>> -t peter-dambier.de @64.139.55.108 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_send to server 64.139.55.108: Connection timed out

"Connection timed out" is expected.  Means that the ACLs are working.

Just to make sure, lets test for something that CAN be resolved:

well% dig metis.hicks-net.net @64.139.55.108

; <<>> DiG 2.0 <<>> metis.hicks-net.net @64.139.55.108 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; Ques: 1, Ans: 1, Auth: 3, Addit: 1
;; QUESTIONS:
;;      metis.hicks-net.net, type = A, class = IN

;; ANSWERS:
metis.hicks-net.net.    3600    A       64.139.55.108

;; AUTHORITY RECORDS:
hicks-net.net.  3600    NS      ns1.xname.org.
hicks-net.net.  3600    NS      ns0.xname.org.
hicks-net.net.  3600    NS      ns.hicks-net.net.

;; ADDITIONAL RECORDS:
ns.hicks-net.net.       3600    A       64.139.55.108

;; FROM: well to SERVER: 64.139.55.108
;; WHEN: Mon Dec 15 02:57:50 2008
;; MSG SIZE  sent: 37  rcvd: 131

well% 

That worked also.  (I got the expected results...  Yay!)

Again, thanks!

Regards,
Gregory Hicks

> 
> Kind regards
> Peter
> 
> 
> Gregory Hicks wrote:
> >> Date: Mon, 15 Dec 2008 06:44:18 -0200
> >> From: Leonardo Rodrigues Magalhães <leolistas at solutti.com.br>
> >>
> >> Gregory Hicks escreveu:
> >>> Greetings:
> >>>
> >>> Seeing in my named.log entries for "too many timeouts resolving
> >>> '<some-domain-not-seen-before>'..." makes me wonder if my server 
is an
> >>> open recursive server.
> >>>
> >>> Where is the test please for open recursion so I can check?
> >> http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl
> > 
> > Thanks!  But I tried that about 6 hours earlier today.  It said 
address
> > 64.139.55.108 had status "untested".  It also said that if I wanted 
my
> > address retested, make a TCP connection to
> > dns-surveyor.measurement-factory.com port 999 (e.g., with telnet) 
from
> > the address to be tested.  I did THAT also. So far, nothing.
> > 
> > Any other ideas?
[...]
---------------------------------------------------------------------
Gregory Hicks                           | Principal Systems Engineer
                                        | Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

More information about the bind-users mailing list