-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set RecursionAvailable in static responses #404
Conversation
Actually now that I've read up on what recursion actually is could you revert this please?
The warning sucks of course but I think the |
You might be right. Do you happen to know what other blocking DNS services do in this case? I'll take a look |
Both, cloudflare and opendns seem to be setting the RA (Recursion Available) bit in responses.
|
RA bit in an answer is set if the client request contains the RD bit (Recursion Desired). When RD is not set, only local answers should be provided (if any), and RA should not be set. RD is almost always set by any stub/client, providing RA always doesn't hurt is my experience. Not providing RA might have a positive effect to stop generating unwanted consequent requests when a NXDOMAIN (or local answers are provided), is received by a client/stub for example. Optimizing traffic potentially (depends on the client/stub). |
Also... When providing local or generated answers, you might set the AA bit (Authoritative Answer) instead of messing with the RD bit. |
It's not changing the RD bit. The change was to set RA in the if RD is set in blocked or static responses. Should AA be set as well in those responses? Cloud services don't appear to include that based on the example responses above. |
No. Only set the RA bit (answer) when the RD bit is set (request). As you provide Recursion as a DNS forwarder. When RD is not set, only provide local/generated answers and answer with NXDOMAIN when you cannot or have no answer. The AA bit might be a better way as an indicator in my opinion. |
Pi-hole seems to expect Edit: Also this: NLnetLabs/unbound@392c1f0 |
My memory tricked me. I found e-mail (as in: non-public) conversation with Quad9 employees back from 2018 where they described that a blocked query can be detected by the criterion Looking at their FAQ page, it's unclear:
As they are not telling us which blocking lists they are using, finding a domain where we know it is blocked may be tricky. However, if someone is willing to invest the time, this page may be useful. What I've found - on their Pi-hole instructions - is:
which exactly corresponds to the conditions I described above ( |
That seems to be the case: $ dig @9.9.9.9 www.internetbadguys.com | grep -m2 'status\|flags'
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26268
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Also just realized that both of your examples return IP addresses so the |
I think there are two behaviours:
In both cases when the answer is locally generated (by RouteDNS), it doesn't really matter that the In all other cases it should follow suit of the dns client. When As indicator the I am actually doing this by default when blocking using a
(Using a TTL of |
That's what EDE is for. This discussion was about if the |
Sets RecursionAvailable flag in static responses (static-responder, blocklists, etc) when the query requested it. This is to avoid the warning
Ref #403