[dns-operations] query dropping vs. returning nxdomain
Matt Ghali
matt at snark.net
Tue Mar 7 04:14:32 UTC 2006
I have a question regarding a potential abuse mitigation technique.
Please do not infer any sort of endorsement on my part of this sort
of behavior. I just wanted to see if I was completely in left field
in considering it antisocial.
Would it generally be considered poor form to drop queries you do
not want to answer? Perhaps not only queries that would return
NXDOMAIN, but also queries that maybe administratively you do not
wish to answer.
For instance, say I operate a nameserver, and it has been delagated
something like '81.64.in-addr.arpa.'. Would it be poor form for me
to configure that nameserver to drop SOA queries for that domain?
How about if I configured that same nameserver to drop other queries
that would return NXDOMAIN? For instance, a query that might occur
as part of CSA, like "SRV _client._smtp.81.64.in-addr.arpa."
Such behavior would probably make my nameserver much less likely to
be abused in some sort of spoofed query attack; and also might cause
it to emit slightly less traffic. Would you folks consider it a wise
tradeoff?
Just wondering.
matto
--matt at snark.net------------------------------------------<darwin><
The only thing necessary for the triumph
of evil is for good men to do nothing. - Edmund Burke
More information about the dns-operations
mailing list