[Pdns-users] PowerDNS Authoritative NXDOMAIN Handling
BH
lists at blackhat.bz
Thu Sep 22 10:14:11 UTC 2011
Hi all,
On my PowerDNS installation, I have noticed that queries for domains
that it is not authoritative for result in the following response
(depending on the root referral option):
; <<>> DiG 9.7.3 <<>> @10.1.1.1 ANY sfdsdsg.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9197
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; WARNING: recursion requested but not available
The main part I am interested in is the "status" that shows NOERROR.
If a domain is valid, the same status (NOERROR) is returned. If I
compare that to mind bind installation, I get different results, a
REFUSED status:
; <<>> DiG 9.7.3 <<>> @192.168.1.207 ANY sfdsdsg.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48767
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
I am wondering if there is any way to change the behaviour for domains
that the server does not host? The reason behind this is I am seeing a
large amount of DNS queries for the same domains that do not exist on
the servers with the same queries happening over and over again. As far
as I can tell, this is happening due to the response not being cached on
the caching name servers (there are only a couple that are causing the
issue) because of NOERROR. In this case the offender is a couple of
OpenDNS resolvers.
Does anyone have any other suggestions to what could be done to stop
this happening?
Thanks
More information about the Pdns-users
mailing list