> On 16 Aug 2024, at 06:40, Fred Morris <[email protected]> wrote:
>
> On Thu, 15 Aug 2024, Geoff Huston wrote:
>>
>> As to "what can you do"? there have been a couple of responses to this:
>>
>
> If you run Response Policy Zones (and BIND) you can partially mitigate the
> impact of search lists on this at the recursive resolver by defining things
> like *.com.example and *.com.example.com as "CNAME ." and ensuring
> qname-wait-recurse is set to "no". (Probably best to look at your own traffic
> with wireshark and identify the low hanging fruit.)
This is a really BAD idea. If you are seeing
<dotted.name>.<search.list.element> the search list configuration is broken.
Partially qualified names are a security hazard.
> --
>
> Fred Morris
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
