North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS Blocking

  • From: Paul Vixie
  • Date: Thu Aug 19 19:22:44 2004

[email protected] (Suresh Ramasubramanian) writes:

> > and you're done.  any query that anyone sends to your server for that zone
> > will be sent something that will hurt them.  eventually they will realize
> > that it's hurting them, and they will stop.
> 
> yes but you pointed out before, deploying this would not be a good idea 
> when the queries are coming in from spoofed source addresses .. the best 
> thing for that would be to filter these out.

someone else pointed that out.  i don't agree.  you can send back three
things.  icmp-unreach (if there's no nameserver running where the bogus
NS+A is pointing); or servfail (or upward delegation) if there's a name
server running where the bogus NS+A points but it does not serve the zone;
or harmful garbage designed to shift the pain back toward the person who
pointed the bad traffic at you in the first place.

it's possible that with spoofed-source, these three alternatives are
interchangeable.

it's definite that filtering out spoofed-source is the best thing to do,
but since this is way harder to do as a recipient than as a sender, it's
not a realistic alternative to running a dns server with deliberately bad
zone data.
-- 
Paul Vixie