[Dnsmasq-discuss] Recursive warning ...
gypsy
gypsy@iswest.com
Thu, 17 Feb 2005 19:41:25 -0800
GrantC wrote:
>
> On Thu, 17 Feb 2005 17:15:56 +0200, you wrote:
>
> >Greetings ...
> >
> > I have read in the mail list archive what a "refused to do a recursive
> >query" is, but I'm lost.
> >
> > I think that either I have miss configured my installations of dnsmasq
> >or I have a big problem with my network.
> >
> > I'm currently getting 100MB worth of DNS traffic a day, this might be
> >because I'm using anti-spam DNS stuff, but I'm also getting about 20738
> >of these warning ...
> >
> > Could I ask for some help to fix this.
>
> The biggest offender IMHO is the ban by spam filters doing
> reverse lookups for each hit on the machine -- try a different
> approach: kill each nn.nn.nn.nn/24 IP block that sources spam
> in the firewall -- I imagine it wouldn't take long to have your
> very own reject set that will immensely reduce DNS traffic.
>
> Then whitelist 'collateral damage' IPs, if any. Worth a try?
>
> How soon will it be that DNS operators refuse or limit services
> to sites that overload them? Perhaps that is happening now?
>
> Cheers,
> Grant.
I'd like to add 2 ideas to the above.
1) Add a DNS server to your list that you are sure DOES allow
recursive. I won't make any promises, but I'm successful with these:
207.171.0.10
207.178.128.20
68.65.16.162
while
206.72.64.70 gives that message.
2) http://ip.ludost.net/
from which I obtained some valuable rules for iptables.
--
gypsy