'Dig WARNING: recursion requested but not available
I'm trying to write a DNS Proxy to block ads DNS requests (return NxDomain) for learning purpose.
let mut request = request.clone(); // Clone the request received from client
request.take_queries(); // Remove all queries out of the request
request.add_query(query.to_owned()); // Add one query with the ads uri
request
.set_message_type(MessageType::Response) // Change the type to response
.set_response_code(ResponseCode::NXDomain); // Update response code in header to NxDomain
request // return
When testing the code above with dig 2mdn.net @0.0.0.0, I received the response below
λ dig 2mdn.net @0.0.0.0
; <<>> DiG 9.10.6 <<>> 2mdn.net @0.0.0.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3685
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2mdn.net. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Thu Apr 28 01:02:17 PDT 2022
;; MSG SIZE rcvd: 37
And there's a warning of failure recursion request.
As it indicated in the HEADER flags, there's no ra flag being set, why would client send another request after receiving the response?
AD (Authentic Data): indicates the resolver believes the responses to be authentic - that is, validated by DNSSEC
The ad flag in the example above belongs to the request, but why would a request carry this flag?
Is it necessary for a DNS resolver to set those flags, if not set (except qr), would client reject the response despite id being the same?
Thanks in advance!
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|