Removing root zone hints for authoritative nameservers
Frank Y.F. Luo
luoy at muohio.edu
Wed Feb 15 15:23:01 UTC 2006
for "referral", actually your name servers are only redirect the clients to
the root server, you are not doing anything other than that. So I don't
understand why UltraDNS will charge you for that.
The understanding is: as long as you disable "recursive" query, you are OK.
Your test on the Soliars and Linux resolver confirmed that.
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Kevin Darcy
> Sent: Tuesday, February 14, 2006 8:29 PM
> To: BIND Users Mailing List
> Subject: Re: Removing root zone hints for authoritative nameservers
> Wiley Sanders wrote:
> >Howdy all,
> >I have just inherited the management of a couple of authoritative
> >nameservers. We're authoritative for about 1000 zones, and we still
> >have hints for the root zone, I guess since the beginning of time. I'm
> >finding that 6 million of our 9 million queries per day are getting
> >"referral" responses from our server, meaning we are sending the root
> >zone data back in response to a query for a zone we aren't
> >authoritative for. Presumably this is because someone out there has my
> >servers in their resolv.conf?
> >I tested a Solaris and a Linux resolver, and those resolvers cannot
> >resolve zones that are not ours if I put our servers in the
> >resolv.conf. Are there some resolvers out there, or forwarders, that
> >might be set to our servers, and still be behaving correctly?
> >ISC recommends "removing the root zone hints for authoritative-only
> >nameservers" so clients receive a SERVFAIL instead of a referral. Has
> >anyone done this and survived to tell the tale? Is there any possible
> >reason why we would be getting and sending referral responses, other
> >than client's misconfigurations?
> >The real reason I ask is because we are thinking of outsourcing to
> >UltraDNS or an equivalent. Unfortunately, UltraDNS bills for all
> >queries, bogus or not. If we can somehow reduce the 75% of our queries
> >that are bogus (we get an additional 15% or so queries that result in
> >NXRRSET and NXDOMAIN responses) UltraDNS would be affordable.
> I'm a little surprised that you'd be getting so many bogus queries. Most
> reasonable resolvers will, as your testing indicated, fail a query
> completely if a root-zone referral is received. When queries fail
> completely, apps typically break, some human being usually notices, and
> then the problem gets fixed. But presumably these clients either a) have
> broken stub/forwarding resolvers that are failing over, to working
> full-resolvers further down in their resolver list, in response to the
> root-zone referrals, or b) are backroom/autopilot boxes and nobody even
> realizes that DNS resolution has stopped working on them, or c) some
> combination of the two. But 6 million queries a day? That seems rather
> excessive, unless you at some point had open recursion and attracted a
> large number of moochers (most of which probably moved on shortly after
> you turned recursion off).
> The bad news is, if these stub/forwarding resolvers are broken wrt
> resolver-failover, or on autopilot, it probably won't make much
> difference to start sending back SERVFAILs instead of root-zone
> referrals. You can try it, but I'm not real confident it'll help your
> situation significantly.
> One other thing you might try, assuming most of this query traffic is
> for website names, is setting up a root zone, with a wildcard A RR in it
> pointing at some random website's address (or, if you're evil, some
> purposely-chosen objectionable site like porn, hate group, whatever). In
> the (a) case above, maybe that will stop the clients from failing over,
> so that if those people ever want to go to any *other* website, they'll
> need to reconfigure their stub/forwarding resolvers to point somewhere
> other than your servers. It won't help the (b) case though; to fix that
> category of clients, you'd probably need to go through the hassle of
> migrating your nameservers to "fresh" IPs that no-one currently knows
> - Kevin
More information about the bind-users