On Thu, 15 Aug 2024, Geoff Huston wrote:
As to "what can you do"? there have been a couple of responses to this:
If you run Response Policy Zones (and BIND) you can partially mitigate the impact of search lists on this at the recursive resolver by defining things like *.com.example and *.com.example.com as "CNAME ." and ensuring qname-wait-recurse is set to "no". (Probably best to look at your own traffic with wireshark and identify the low hanging fruit.)
-- Fred Morris _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
