Correct, Keith's server is not configured to current best security practices. His server has what is called "upward referrals" turned on. https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful I believe what you want at a minimum is: additional-from-cache no; Also, it sounds like you are using your DNS server for two functions: caching for internal clients, and authoritative for your domain name(s). If so you probably should isolate both functions: "If your nameserver is both authoritative and caching, you really should separate the two functions. Caching nameservers are susceptible to poisoning and other types of attacks. You don't necessarily need separate hardware for each. You might need to use separate IP addresses, or possibly configure the authoritative nameserver to use an external address while the caching nameserver uses an internal address." See also: https://kb.isc.org/docs/bind-best-practices-authoritative and: https://kb.isc.org/docs/bind-best-practices-recursive On Thu, Feb 11, 2021 at 10:08:21AM -0500, Robert N. Evans via WLUG wrote:
That is not what I see when I query one of the major name servers. I would guess your server is configured differently...
rne@P5:~$ dig @1.1.1.1 isc.org
; <<>> DiG 9.16.1-Ubuntu <<>> @1.1.1.1 isc.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31866 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;isc.org. IN A
;; ANSWER SECTION: isc.org. 9 IN A 149.20.1.66
;; Query time: 24 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Thu Feb 11 10:03:30 EST 2021 ;; MSG SIZE rcvd: 52
-BE
-----Original Message-----
From: Keith Wright via WLUG <wlug@lists.wlug.org> Sent: Feb 11, 2021 1:04 AM To: Worcester Linux Users' Group General Discussion <wlug@lists.wlug.org> Cc: wlug@lists.wlug.org, Andre.Lehovich@gmx.com, Keith Wright <kwright@keithdiane.us> Subject: [WLUG] Re: WLUG Meeting Feb 11th 2021! Topic: Good question!
Andre Lehovich via WLUG <wlug@lists.wlug.org> writes:
dig @66.92.74.188 isc.org
Here you go, hope it's useful...
Thank you. That's a lot of information.
quetzal:~ al$ dig @66.92.74.188 isc.org
; <<>> DiG 9.10.6 <<>> @66.92.74.188 isc.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11995 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27 ;; WARNING: recursion requested but not available ^^^^^^^^^ ^^^^^^^^^ ^^^ ^^^ ^^^^^^^^^ That looks good. I don't want to be doing recursion for you (nothing personal).
But where did all the rest of that come from? I've never seen anything like that! Did my server send all that? Why??
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN A
;; AUTHORITY SECTION: . 348191 IN NS c.root-servers.net. . 348191 IN NS d.root-servers.net. . 348191 IN NS e.root-servers.net. . 348191 IN NS f.root-servers.net. . 348191 IN NS g.root-servers.net. . 348191 IN NS h.root-servers.net. . 348191 IN NS i.root-servers.net. . 348191 IN NS j.root-servers.net. . 348191 IN NS k.root-servers.net. . 348191 IN NS l.root-servers.net. . 348191 IN NS m.root-servers.net. . 348191 IN NS a.root-servers.net. . 348191 IN NS b.root-servers.net.
;; ADDITIONAL SECTION: a.root-servers.net. 348191 IN A 198.41.0.4 a.root-servers.net. 348191 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 348191 IN A 199.9.14.201 b.root-servers.net. 348191 IN AAAA 2001:500:200::b c.root-servers.net. 348191 IN A 192.33.4.12 c.root-servers.net. 348191 IN AAAA 2001:500:2::c d.root-servers.net. 348191 IN A 199.7.91.13 d.root-servers.net. 348191 IN AAAA 2001:500:2d::d e.root-servers.net. 348191 IN A 192.203.230.10 e.root-servers.net. 348191 IN AAAA 2001:500:a8::e f.root-servers.net. 348191 IN A 192.5.5.241 f.root-servers.net. 348191 IN AAAA 2001:500:2f::f g.root-servers.net. 348191 IN A 192.112.36.4 g.root-servers.net. 348191 IN AAAA 2001:500:12::d0d h.root-servers.net. 348191 IN A 198.97.190.53 h.root-servers.net. 348191 IN AAAA 2001:500:1::53 i.root-servers.net. 348191 IN A 192.36.148.17 i.root-servers.net. 348191 IN AAAA 2001:7fe::53 j.root-servers.net. 348191 IN A 192.58.128.30 j.root-servers.net. 348191 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 348191 IN A 193.0.14.129 k.root-servers.net. 348191 IN AAAA 2001:7fd::1 l.root-servers.net. 348191 IN A 199.7.83.42 l.root-servers.net. 348191 IN AAAA 2001:500:9f::42 m.root-servers.net. 348191 IN A 202.12.27.33 m.root-servers.net. 348191 IN AAAA 2001:dc3::35
;; Query time: 150 msec ;; SERVER: 66.92.74.188#53(66.92.74.188) ;; WHEN: Wed Feb 10 20:31:08 PST 2021 ;; MSG SIZE rcvd: 819