When creating a new UDM with DNS (or DNS6), the checkbox "Recursion desired" is greyed and un-selectable. I know that recursion can request more resources from the DNS servers. Is it why it is currently unavailable? It does not seem documented in <https://atlas.ripe.net/doc/udm> which just says: Recursion desired Enable recursion. This is the RD flag described in RFC1035.
It will be enabled in the next release, I think before end fo the month. Initially we were waiting for majority probes to have the supported firmware. However, by default RD is enabled when querying probe's local resolver. Also my experience is som resolvers ignore it; regards, -antony On Mon, Jan 07, 2013 at 09:31:51PM +0100, Stephane Bortzmeyer wrote:
When creating a new UDM with DNS (or DNS6), the checkbox "Recursion desired" is greyed and un-selectable.
I know that recursion can request more resources from the DNS servers. Is it why it is currently unavailable?
It does not seem documented in <https://atlas.ripe.net/doc/udm> which just says:
Recursion desired Enable recursion. This is the RD flag described in RFC1035.
On Tue, Jan 08, 2013 at 10:11:25AM +0100, Antony Antony <antony@ripe.net> wrote a message of 26 lines which said:
It will be enabled in the next release,
OK, thanks.
However, by default RD is enabled when querying probe's local resolver.
Yes, but I wanted to test public resolvers.
Also my experience is som resolvers ignore it;
My experience with public resolvers does not match yours: Google Public DNS: without RD, serves only the data in the cache (otherwise, if not in cache, NOERROR,ANSWER=0) OpenDNS: without RD, always REFUSED, even if data in the cache Level 3: like OpenDNS Comodo: like Level 3 and OpenDNS DNS Advantage: without RD, always timeout, even if data in the cache Telecomix: like DNS Advantage Regular Unbound: without RD, serves only the data in the cache (otherwise, if not in cache, REFUSED) Regular BIND: without RD, serves only the data in the cache (otherwise, if not in cache, NOERROR,ANSWER=0 but with upward referral)
On Tue, Jan 08, 2013 at 10:11:25AM +0100, Antony Antony wrote:
However, by default RD is enabled when querying probe's local resolver.
attention, significant paranoia ahead, independent of RD: Are there any restrictions on QNAMEs that can be sent to the local resolver or could a UDM be used to do reconnaissance against the "surrounding" namespace (or address space wit the reverse tree)? What do the probes do if DHCP does not provide for local resolvers? -Peter
On 1/8/13 14:08 , Peter Koch wrote:
On Tue, Jan 08, 2013 at 10:11:25AM +0100, Antony Antony wrote:
However, by default RD is enabled when querying probe's local resolver. attention, significant paranoia ahead, independent of RD:
Are there any restrictions on QNAMEs that can be sent to the local resolver or could a UDM be used to do reconnaissance against the "surrounding" namespace (or address space wit the reverse tree)?
There are no restrictions on what can be queried.
What do the probes do if DHCP does not provide for local resolvers?
Probes can connect to the registration server without getting a resolver from DHCP. Beyond that, probes need a resolver. But you can, for example, configure a public DNS resolver statically (though there is no reason not to do that through DHCP).
participants (4)
-
Antony Antony -
Peter Koch -
Philip Homburg -
Stephane Bortzmeyer