North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS Blocking
[email protected] (Suresh Ramasubramanian) writes: > > and you're done. any query that anyone sends to your server for that zone > > will be sent something that will hurt them. eventually they will realize > > that it's hurting them, and they will stop. > > yes but you pointed out before, deploying this would not be a good idea > when the queries are coming in from spoofed source addresses .. the best > thing for that would be to filter these out. someone else pointed that out. i don't agree. you can send back three things. icmp-unreach (if there's no nameserver running where the bogus NS+A is pointing); or servfail (or upward delegation) if there's a name server running where the bogus NS+A points but it does not serve the zone; or harmful garbage designed to shift the pain back toward the person who pointed the bad traffic at you in the first place. it's possible that with spoofed-source, these three alternatives are interchangeable. it's definite that filtering out spoofed-source is the best thing to do, but since this is way harder to do as a recipient than as a sender, it's not a realistic alternative to running a dns server with deliberately bad zone data. -- Paul Vixie
|