[Dnsmasq-discuss] Recursive warning ...
Simon Kelley
simon@thekelleys.org.uk
Sun, 20 Feb 2005 16:36:49 +0000
gypsy wrote:
> GrantC wrote:
>
>>On Thu, 17 Feb 2005 17:15:56 +0200, you wrote:
>>
>>
>>>Greetings ...
>>>
>>> I have read in the mail list archive what a "refused to do a recursive
>>>query" is, but I'm lost.
>>>
>>> I think that either I have miss configured my installations of dnsmasq
>>>or I have a big problem with my network.
>>>
>>> I'm currently getting 100MB worth of DNS traffic a day, this might be
>>>because I'm using anti-spam DNS stuff, but I'm also getting about 20738
>>>of these warning ...
>>>
>>> Could I ask for some help to fix this.
>>
>>The biggest offender IMHO is the ban by spam filters doing
>>reverse lookups for each hit on the machine -- try a different
>>approach: kill each nn.nn.nn.nn/24 IP block that sources spam
>>in the firewall -- I imagine it wouldn't take long to have your
>>very own reject set that will immensely reduce DNS traffic.
>>
>>Then whitelist 'collateral damage' IPs, if any. Worth a try?
>>
>>How soon will it be that DNS operators refuse or limit services
>>to sites that overload them? Perhaps that is happening now?
>>
>>Cheers,
>>Grant.
>
>
> I'd like to add 2 ideas to the above.
>
> 1) Add a DNS server to your list that you are sure DOES allow
> recursive. I won't make any promises, but I'm successful with these:
> 207.171.0.10
> 207.178.128.20
> 68.65.16.162
>
> while
> 206.72.64.70 gives that message.
>
> 2) http://ip.ludost.net/
> from which I obtained some valuable rules for iptables.
> --
> gypsy
>
I'll limit the warnings to one per upstream nameserver in the next
dnsmasq release. It doesn't make sense to spam logs withe same message
over and over again....
Cheers,
Simon.