Entry

When I test my Bind server with dnsq, I get "weird ra" in the output - what does that mean?

Sep 10th, 2008 02:37
carla simths, Brian Coogan,

This is a sample of dnsq output containing 'weird ra':
  $ dnsq a exa.com.au dnsone.exa.com.au
  1 exa.com.au:
  82 bytes, 1+0+1+0 records, response, authoritative, weird ra, noerror
  query: 1 exa.com.au
  authority: exa.com.au 86400 SOA dnsone.exa.com.au 
postmaster.exa.com.au 2001061401 10800 3600 604800 86400
dnsq says "weird ra" because it did not set the RD (recursion desired)
bit in the query, but the RA (recursion available) bit was set in the
response indicating that the server was prepared to do a recursive 
lookup anyway.  The "weird ra" message is normal for Bind servers; you 
will not see the "weird ra" message when testing against tinydns.
As far as the RFCs go, this is not strictly weird behaviour.  (There 
was quite a long debate on the mailing list about it in March 2001).  
It is only weird if you consider that the server volunteered to perform 
a recursive lookup when you didn't ask for it.  If you view the setting 
of this bit as merely an indication that the server would be willing to 
recurse, nothing is weird.
Regardless, the presence of the message does not indicate a problem as 
such.
What it does indicate is that your server is probably publicly 
available, that is, anyone can ask your server to perform recursive 
lookups.  This is a minor misconfiguration at best and allows others to 
use your resolver services, and possibly launch Denial of Service (DOS) 
attacks against you at worst.
Smart quote from Al Lipscomb (Mar, 2001):
I think it would be weird if I asked you "Do you know his name?"
and you answered "Yes his name is Bob, but I would be willing to go ask
someone else for you if you would like me to."   :)
http://reisendubai.blogspot.com/
http://reisenmalediven.blogspot.com/