Re: recursion on auth-only server
Matus UHLAR - fantomas wrote: I have moved authoritative server to new IP address. I have changed the DNS name pointing to it so the NS would point to the new IP. Now I looked at the traffic and it seems that there are ~4 of 1000 recursive requests sent to it. Are there any known resolvers that can iterate through NS hierarchy, or iterative DNS servers that send resursive requests anywhere? On 02.10.09 18:50, Peter Dambier wrote: I know you can use bind as your local resolver. It does query from the root down until it finds what it is looking for - when you don't use forwarders. I know that too but this particular server isn't designed to be used as recursive and I don't want it to be. dnscache which is part of djbdns does always query from the root down. It never uses forwarders. I don't know for sure if the Authoritative Answer Only bit is set but I guess no. It's RD (recursion desired) flag and my question is if any nameserver is known by sending queries with this flag set. I don't care if they do recursion themselves, but if anyone asks this server with RD flag set, the answer will be venemous. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursion on auth-only server
In article mailman.674.1254859742.14796.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: It's RD (recursion desired) flag and my question is if any nameserver is known by sending queries with this flag set. I don't care if they do recursion themselves, but if anyone asks this server with RD flag set, the answer will be venemous. Nameservers should only set the RD flag in the queries they send if they're configured to use forwarders. It should never be sent when they're following the delegation chain themselves. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursion on auth-only server
Once upon a time, Matus UHLAR - fantomas uh...@fantomas.sk said: I don't care if they do recursion themselves, but if anyone asks this server with RD flag set, the answer will be venemous. You should realize that anybody trying to debug possible DNS issues might issue queries directly to your server with tools like dig, which requests recursion by default. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursion on auth-only server
Matus UHLAR - fantomas wrote: Hello, I have moved authoritative server to new IP address. I have changed the DNS name pointing to it so the NS would point to the new IP. Now I looked at the traffic and it seems that there are ~4 of 1000 recursive requests sent to it. Are there any known resolvers that can iterate through NS hierarchy, or iterative DNS servers that send resursive requests anywhere? I know you can use bind as your local resolver. It does query from the root down until it finds what it is looking for - when you don't use forwarders. dnscache which is part of djbdns does always query from the root down. It never uses forwarders. I don't know for sure if the Authoritative Answer Only bit is set but I guess no. Somebody must resolve. So you will see my ISPs resolver querying you if you don't see my own resolver. With censoring commonplace in europe at least, people with the know do run their own resolvers. You'll see the number increasing. I guess 0.4% is harmless. The number I see looks higher and they do not look for domains I slave. Kind regards Peter -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: pe...@peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursion on auth-only server
On Sep 21 2009, Matus UHLAR - fantomas wrote: I have moved authoritative server to new IP address. I have changed the DNS name pointing to it so the NS would point to the new IP. Now I looked at the traffic and it seems that there are ~4 of 1000 recursive requests sent to it. And do you know that this was not the case before the move? Are there any known resolvers that can iterate through NS hierarchy, or iterative DNS servers that send resursive requests anywhere? There are all sorts of reasons, from misconfigured resolvers to manual use of dig (do you always remember to specify +norec when appropriate?). Query logging will help you track them down if you are really concerned. At 0.4%, I wouldn't worry. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users