On Sat, Jul 30, 2011 at 11:33 AM, Drew Weaver <drew.weaver@thenap.com>wrote:
And at this point he may as well just ACL in-front of the recursors to prevent the traffic from hitting the servers thus reducing load needed to reject the queries on the servers themselves.
A problem for providers of DNS recursive servers as a hosted service, is the client sender IP address may be dynamic and off-net. And the DNS protocol does not provide a method of authentication, or passing credentials from the client to the server to authorize the use of recursive DNS. This differs from SMTP. There really is no such thing as a "closed recursive resolver", except where unwanted queries are blocked by IP. All we really have is TSIG for such scenarios, and most client resolvers do not support loading the resolver with a secret key, in order to authorize recursive access. So it follows, that in a number cases, "closing recursive access" is not a good option. A good example, would be services such as OpenDNS. Regards, -- -JH