So have A record queries. Do you filter those as well? Jared Mauch
> On Dec 3, 2014, at 9:08 AM, Stephen Satchell <l...@satchell.net> wrote: > >> On 12/03/2014 04:04 AM, Niels Bakker wrote: >> * shortdudey...@gmail.com (Grant Ridder) [Wed 03 Dec 2014, 12:54 CET]: >>> Both of Google’s public DNS servers return complete results every time >>> and one of the two comcast ones works fine. >>> >>> If this is working by design, can you provide the RFC with that info? >> >> An ANY query will typically return only what's already in the cache. So >> if you ask for MX records first and then query the same caching resolver >> for ANY it won't return, say, any TXT records that may be present at the >> authoritative nameserver. >> >> This could be implementation dependent, but Comcast's isn't wrong, and >> you should not rely on ANY queries returning full data. This has been >> hashed out to tears in the past, for example when qm**l used to do these >> queries in an attempt to optimise DNS query volumes and RTT. > > At the ISP I consult to, I filter all ANY queries, because they have > been used for DNS amplification attacks.