[dns-operations] query dropping vs. returning nxdomain

Peter Dambier peter at peter-dambier.de
Tue Mar 7 08:39:45 UTC 2006

Matt Ghali wrote:
> I have a question regarding a potential abuse mitigation technique. 
> Please do not infer any sort of endorsement on my part of this sort 
> of behavior. I just wanted to see if I was completely in left field 
> in considering it antisocial.
> Would it generally be considered poor form to drop queries you do 
> not want to answer? Perhaps not only queries that would return 
> NXDOMAIN, but also queries that maybe administratively you do not 
> wish to answer.
> For instance, say I operate a nameserver, and it has been delagated 
> something like '81.64.in-addr.arpa.'. Would it be poor form for me 
> to configure that nameserver to drop SOA queries for that domain?

I do look regularly into my log file. Chance is IASON would complain
about a lame server for one or more domains. If it gives too much
trouble to my resolver I do write my own zone file automatically.

Some spam or popup companies have terribly bad dns. The only indication
of what IASON can do is some icons for broken links that dont look
half as nasty as what I can see on the windows screens of other
people. :)


> How about if I configured that same nameserver to drop other queries 
> that would return NXDOMAIN? For instance, a query that might occur 
> as part of CSA, like "SRV _client._smtp.81.64.in-addr.arpa."
> Such behavior would probably make my nameserver much less likely to 
> be abused in some sort of spoofed query attack; and also might cause 
> it to emit slightly less traffic. Would you folks consider it a wise 
> tradeoff?

I guess it would reduce your traffic a bit. The legal queries would
stop. The abuse would stay. Your clients might complain that except
for spam they would not receive any more emails. Your clients might
even complain that they could no longer send emails because the
receiver did not find their dns and rejected them.

I think you are on the right track but in this spezial case you
must be nastier:

Verizon would introduce a wildcard.

Why not introduce some advertizing of your own. Why not create
a subdomain using the nameservers

microsoft.com.          126737  IN      NS      ns1.msft.net.
microsoft.com.          126737  IN      NS      ns2.msft.net.
microsoft.com.          126737  IN      NS      ns3.msft.net.
microsoft.com.          126737  IN      NS      ns4.msft.net.
microsoft.com.          126737  IN      NS      ns5.msft.net.

I would give them the chance to do some free adverticing and
to present a cure for exactly our problem. :)

> Just wondering.
> matto
> --matt at snark.net------------------------------------------<darwin><
>                The only thing necessary for the triumph
>                of evil is for good men to do nothing. - Edmund Burke
> _______________________________________________

Dropping queries instead of answering NXDOMAIN is something
I see more often. Maybe it is in preparation of a multiple
root system. Say if ICANN does not answer I can try again
using New.Net

The bad side it creates nasty clients. Instead of aking one
server at a time and waiting for the answer it asks all of
them at once and just drops all but the first one answering.

I would very much prefer the reinvention of AXFR.

Why not allow people to transfer your authoritative zones
and not see them again for the rest of the month?

Closing open resolvers we force people to run their own.
Forwarders do not make sense any longer. Forget windows
even if it can run bind. Yes that is a first step to
get rid of most vermin. Every decent operating system
can run a resolver that queries from the root down.

If you do download (AXFR,ftp) the root file you do not
even need to bother the rootservers for a month at least.

And first of all forget your ISPs resolver if it is
located in germany or italy maybe most of the others

Enough ranting. I dont like Mattos ideas but mine are
just as nasty.

Closing open resolvers - unthinklable?

I remember windows could not do internet. They learned.

MAC OS-X, Linux, BSD, Solaris, ...
all of them can run djbdns.

Give them a "." zone file and we can even get rid of
the root-servers.

You can download the ICANN root-zone


Why not the others? That would even work in the
event of a nasty attack.

If you mean '81.64.in-addr.arpa.' is dangerous
information then why do you publish it in the
first place?

Peter and Karin Dambier

Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list