[Discussion] features (mainly dns)
Florian Weimer
fw at deneb.enyo.de
Sun Dec 7 20:21:53 UTC 2008
* David Dagon:
> On Sun, Dec 07, 2008 at 08:59:14AM +0100, Florian Weimer wrote:
>
>> >> How do you mean? Loke looking for a client that's making repeated dns
>> >> queries within the TTL? Maybe poorly coded bots?
>
> <snip>
>
>> And all UNIX-like clients which do not perform local caching by
>> default. 8-(
>
> I've found that linux hosts can be filtered by keeping state on AAAA
> lookups, followed by A lookups (glibc has this behavior).
Nice idea. But this depends on the application (it has to use
getaddrinfo) and system configuration (GNU libc must detect some form
of IPv6 connectivity).
> -- Consider filters for RFC suggested limits on NS counts (7 I
> believe).
I don't think such a limit exists at the RFC level. There are certain
TLD-specific limits. As you've mentioned, these are often bypassed my
serving more NS records in the authority section of responses. You
may also need to exclude (e)TLDs and several DNSBLs.
Multiple A records per NS record are likely suspicious, too (but I
think you've already mentioned that).
More information about the Discussion
mailing list