[dns-operations] query dropping vs. returning nxdomain

Mark Andrews Mark_Andrews at isc.org
Tue Mar 7 05:45:50 UTC 2006 

> I have a question regarding a potential abuse mitigation technique. 
> Please do not infer any sort of endorsement on my part of this sort 
> of behavior. I just wanted to see if I was completely in left field 
> in considering it antisocial.
> 
> Would it generally be considered poor form to drop queries you do 
> not want to answer? Perhaps not only queries that would return 
> NXDOMAIN, but also queries that maybe administratively you do not 
> wish to answer.

	I don't look forward to debugging a world where queries are
	just dropped.  There is too much of that with EDNS queries
	to DNS servers.

	Misconfigurations happen and turning them all into "timeout"
	is not going to be fun.
 
> For instance, say I operate a nameserver, and it has been delagated 
> something like '81.64.in-addr.arpa.'. Would it be poor form for me 
> to configure that nameserver to drop SOA queries for that domain?

	Yes.

	How would anyone know how to reach you when there was a
	problem with the zone or its servers?  And don't say "whois"
	as we all know that there is too much garbage there to be
	useful anymore.
 
> How about if I configured that same nameserver to drop other queries 
> that would return NXDOMAIN? For instance, a query that might occur 
> as part of CSA, like "SRV _client._smtp.81.64.in-addr.arpa."

	So you really want clients to just pound on your servers :-)

> Such behavior would probably make my nameserver much less likely to 
> be abused in some sort of spoofed query attack; and also might cause 
> it to emit slightly less traffic. Would you folks consider it a wise 
> tradeoff?

	No.
 
> Just wondering.
> matto
> 
> --matt at snark.net------------------------------------------<darwin><
>                The only thing necessary for the triumph
>                of evil is for good men to do nothing. - Edmund Burke
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list