In message <20090128232123.ga66...@redoubt.spodhuis.org>, Phil Pennock writes: > Sorry to follow up to myself; a few more moments reviewing before > sending were warranted. > > On 2009-01-28 at 15:11 -0800, Phil Pennock wrote: > > I'd be perfectly happy to have X list every root server, gTLD server and > > ccTLD server, as a starting point, on the basis that none of those > > should ever be sending out RD queries, > > Before I get grilled on this point: it's not strictly true, since > obviously things like looking up the IPs of secondary servers to send > NOTIFY requests to may use recursive DNS.
Only if you have configured a forwarder. Nameserver make non- recursive queries by default. > Okay, unless you're running > a nameserver which secondaries from the gTLD/ccTLD/root servers, you > have no reason to see RD packets from those servers. Hopefully that's > accurate enough to appease people who'll otherwise concentrate on that > point and lose sight of what I was trying to show -- that *most* people > could easily make use of such an RBL, if the nameservers supported using > an external file for ignoring RD queries without dropping all traffic. > > As people upgrade Bind naturally, the number of reflectors that could > participate in an attack would go down. Get the OS vendors to use > default configs which set a Bind option to maintain the file > automatically and you're getting most of the way there, by sheer number > of DNS servers. > > -Phil The most common reason for recursive queries to a authoritative server is someone using dig, nslookup or similar and forgeting to disable recursion on the request. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org