contacting a external nameserver
David Forrest
drf at maplepark.com
Tue Jan 27 13:39:05 UTC 2009
On Tue, 27 Jan 2009, Luis Silva wrote:
> Hi all,
> I'm having a question related to querying external servers that hope you
> could answer me. I'm sending a iterative query for an external server and
> the server is sending a referral answer but only with the authoritive name
> servers. After that, i send a query A asking the nameservers ip addresses.
> This A query is supposed to be a recursive query or must be a iterative one?
> Is there a standard that talks about this? thanks in advance.
>
> Kind regards,
> Luis
>
My external NS is one that that does so by virtue of these named.conf
entries:
view "external" { // Primary nameserver for maplepark.com.
match-clients { any; };
recursion no;
additional-from-cache no;
// https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful
zone "maplepark.com"{
type master;
notify yes;
allow-transfer { slave-name-servers; };
file "/var/named/drf/external/maplepark.com.external.";
};
I do this because it then replies with a 28 byte message with only my
authoritative information (nothing) and does not then contribute to a DDoS
in an amplified reply to a request for the root servers ( . NS). If I
could, I would have it just not respond and let the attacker time out.
But that is not an option. At least I haven't found a way to do that.
A side effect of this config is that I don't send glue to legitimate
queries for my NS (just my authoritative information) but my secondaries
are easily found from the root servers. And if my NS is off-line, the
secondaries will be queried anyway. No information is returned for upward
referrals.
Dave Forrest
More information about the bind-users
mailing list