patch for dropping unapproved queries

Kevin Darcy kcd at daimlerchrysler.com
Sat Jul 1 00:29:26 UTC 2000


I think this is a step in the right direction. But a better way may be to make "blackhole" a
zone-specific option which would override the global "blackhole" option. When used with negation,
this could give you the same functionality as what you have implemented, e.g. the global
"blackhole" could apply to everyone except your internal clients; the public zones could then have
"blackhole { none; };". Doing it this way would also allow one, if they wished, to define a stratum
of clients -- those that fall between "allow-query" and "blackhole" -- that would get
REFUSED responses.

Even more useful, in my opinion, would be a mechanism whereby a fixed answer, or a random answer,
could be given to requestors who were blocked by an ACL. By "fixed answer", I'm thinking the address
(or SRV record) of a server serving a web page informing the user that their site's resolver is
broken, or an FTP/SMTP/telnet server with a similar message in its banner. By giving a
*non-productive* answer to the queries, you're more likely to get the problem fixed at its root,
rather than just lessening its impact.

                                                                                                -
Kevin

Joe Pruett wrote:

> i've talked about this for a long time so i finally got energetic enough
> today to do it.
>
> in my scenario (an isp), i have the global allow-query set for only my
> local nets and then i set allow-query to all for any domain that i host.
> this is supposed to keep random bozos from using me as their resolver.
> but resolvers don't track servers that give them a REFUSED answer and so
> they keep right on asking.  what this patch does is to just drop the
> request when it isn't allowed via the allow-query options.  there is a new
> global level option called drop-refused-query that is a yes/no flag.  it
> doesn't affect all REFUSED answers, just the ones caused by the
> allow-query checks.  that seemed like the simplest fix.
>
> so far it seems to be doing what i want.  maybe something like this can
> make it into bind9 (if it isn't there already)?
>
> let me know if you use this, or think it is a bad idea.  it applies
> against 8.2.2-P5.
>






More information about the bind-users mailing list