[dns-operations] query dropping vs. returning nxdomain

Matt Ghali matt at snark.net
Tue Mar 7 04:14:32 UTC 2006

I have a question regarding a potential abuse mitigation technique. 
Please do not infer any sort of endorsement on my part of this sort 
of behavior. I just wanted to see if I was completely in left field 
in considering it antisocial.

Would it generally be considered poor form to drop queries you do 
not want to answer? Perhaps not only queries that would return 
NXDOMAIN, but also queries that maybe administratively you do not 
wish to answer.

For instance, say I operate a nameserver, and it has been delagated 
something like '81.64.in-addr.arpa.'. Would it be poor form for me 
to configure that nameserver to drop SOA queries for that domain?

How about if I configured that same nameserver to drop other queries 
that would return NXDOMAIN? For instance, a query that might occur 
as part of CSA, like "SRV _client._smtp.81.64.in-addr.arpa."

Such behavior would probably make my nameserver much less likely to 
be abused in some sort of spoofed query attack; and also might cause 
it to emit slightly less traffic. Would you folks consider it a wise 

Just wondering.

--matt at snark.net------------------------------------------<darwin><
               The only thing necessary for the triumph
               of evil is for good men to do nothing. - Edmund Burke

More information about the dns-operations mailing list