Allow recursion only on DoH and DoT, while keeping 53/UDP for authoritative responses only

[Turab]

This is a feature idea.

I have two Technitium instances at different sites running in a cluster. I am using them for both DNS hosting and recursion for ads and malware blocking. I don't want to have my two servers open to the world prone to amplification attacks. Since my client variation is distributed (like different ISPs, dynamic IPs with different locations and mobile clients), I can't limit recursion only to an IP grup or to private IPs only.

It would be best to be able to have 53/UDP serve only authoritative answers and drop recursion requests; but allow recursion on other protocols like DoH, DoT and DoQ.

I know DoH and DoT also have different attack vectors; but still, it would be a big leap at mitigation.

Don't you agree?

[ShreyasZare]

Thanks for the request. Running both public authoritative and recursive DNS server together is not recommended and not a good idea. Its best to have separate DNS servers for both the roles so as to avoid multiple such issues since all config that the DNS server has applies to all supported protocols. For example, you wont be able to configure a proper rate limiting value too for such a deployment since it may not work well for both the roles the DNS server is configured for.

[Turab]

I see. In fact that's already the reason why I suggested separating the rate limiting settings for the type of requests. Running different instances would need two different IP addresses and would be harder to maintain I think. Because that would mean at least 3 different sites with 3 different IPs and in my case, it would be better with 4 of them; for it wouldn't be very much reliable to have only one authoritative server.

[ShreyasZare]

Yes, it would mean running multiple DNS servers but that's the only proper way to do it.