darkoperator
Feature Request - Ability to control RD (Recursion Desired) flag
Feature Request
It would be nice to have a knob to control whether the RD (Recursion Desired) bit is set.
I'm in a situation where I am talking to an internal DNS server that is authoritative for some zones, but I do not know which. It has upstream forwarders configured, however those upstreams will not actually answer the questions it is forwarding on my behalf.
To Reproduce
...You probably can't, without this strange setup, but here's an example of how unsetting RD makes a huge difference:
# time dig -x 10.0.1.2
;; communications error to 10.3.1.37#53: timed out
;; communications error to 10.3.1.37#53: timed out
;; communications error to 10.3.1.37#53: timed out
;; communications error to 10.3.1.37#53: timed out
; <<>> DiG 9.20.1-1-Debian <<>> -x 10.0.1.2
;; global options: +cmd
;; no servers could be reached
real 0m20.035s
user 0m0.010s
sys 0m0.011s
A ~20s timeout between requests is also reflected in dnsrecon's performance (albeit with multiple parallel queries timing out at once).
OTOH, turning off RD fails quickly:
# time dig +norecurse -x 10.0.1.2
; <<>> DiG 9.20.1-1-Debian <<>> +norecurse -x 10.0.1.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62261
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;2.1.0.10.in-addr.arpa. IN PTR
;; Query time: 0 msec
;; SERVER: 10.3.1.37#53(10.3.1.37) (UDP)
;; WHEN: Fri Sep 06 15:48:26 EDT 2024
;; MSG SIZE rcvd: 53
real 0m0.016s
user 0m0.008s
The dns.message.make_query call does support passing flags, and there's an example of setting flags=0 to turn off RD here:
https://github.com/rthalley/dnspython/blob/main/examples/query_specific.py
It would be nice if there was a flag to dnsrecon to expose this / turn off RD; AFAIK there isn't one. There is a --disable_check_recursion but that is different.
