using the examples below
dig +trace stackoverflow.com
dig +trace google.com
dig +trace yahoo.com
dig +trace bbc.com
the first two show me only the A records for the queried domain, while the last two show me the A, or CNAME, as well as multiple NS records.
Can someone explain what config on the DNS server controls this behaviour, causing all of your nameservers being sent in response to this type of dig lookup. Also, is it possible to disable this behaviour so in the first two examples.. so that only the A record is sent and not the authoritative nameservers as well?
I would like to sync my domain with UltraDNS and configure the domain to use their nameservers to avoid DNS DDoS attacks on our DNS servers. But with the above behaviour, when people 'dig +trace' the domain it replies with our nameservers so making the exercise of trying to hide them pointless.
thanks
fLo
Answer
The difference is that yahoo.com and bbc.com are returning an AUTHORITY
section, but stackoverflow.com and google.com are not.
$ dig @ns1.yahoo.com +noall +question +authority yahoo.com
;yahoo.com. IN A
yahoo.com. 172800 IN NS ns2.yahoo.com.
yahoo.com. 172800 IN NS ns6.yahoo.com.
yahoo.com. 172800 IN NS ns5.yahoo.com.
yahoo.com. 172800 IN NS ns4.yahoo.com.
yahoo.com. 172800 IN NS ns3.yahoo.com.
yahoo.com. 172800 IN NS ns1.yahoo.com.
$ dig @ns1.google.com +noall +question +authority google.com
;google.com. IN A
You could hide this from your trace with the +noauthority
option, but it would also make the output largely useless as you would be hiding the AUTHORITY
section from the intermediate nameservers as well. (which, being delegations, is pretty much all there is to be seen unless you've set +additional
)
It is up to individual nameserver implementations whether or not they wish to supply an AUTHORITY
section in scenarios where they are not strictly required by RFC. BIND is one of the server implementations that does display this information by default, but it also provides a minimal-responses
option for disabling the behavior. I strongly recommend this option in customer facing recursion scenarios as it reduces the overhead of amplification attacks against spoofed source IPs. (sadly, BCP 38 is not as widely implemented as it needs to be)
From the BIND ARM:
minimal-responses
If yes, then when generating responses the server will only add records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This may improve the performance of the server. The default is no.
No comments:
Post a Comment