Health-checks (e.g. pingdom etc) with RD=1 seem pretty common.
Really you want to health-check authoritative-only servers respond when
RD=0 and the response has AA=1, otherwise you might just be hitting a
resolver, but I guess that's beyond what most of those services provide.
I catch the RD=1 in iptables using m32 and throttle it to (say) 20 per
second to get round this issue - cos I'm also one of those who keep
forgetting to add "+norec" to dig :)
Apart from health-checks & dig, most of the RD=1 traffic I get to my
auth-only servers seems to come from malware, spammers etc - e.g. same
IP asking the same question 100s of times.
James
On 12/11/2019 12:29, Tony Finch wrote:
James Stevens <[email protected]> wrote:
Would it be reasonable for an authoritative-only DNS Server to reject / ignore
/ throttle requests with RD=1 ?
I think for quite a long time my toy DNS server (which runs with an
appalling hodge-podge of patches) was running with a config something
like...
view rec {
match-recursive-only yes;
# stuff
};
view auth {
recursion no;
allow-recursion { none; };
zone dotat.at { /* ... */ );
# etc.
};
The effect was that recursive queries went to the rec view then got
rejected by an ACL; RD=0 queries went to the auth view which served my
zone to all comers. The only problem I noticed was RD=1 health checks from
one of my secondaries. My config now has a match-clients clause in the rec
view which works better all round.
Tony.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
