Best allow-query setting on an authoritative-only nameserver

Kevin Darcy kcd at daimlerchrysler.com
Tue Apr 3 01:15:28 UTC 2007


In practical terms, I don't think it really matters much. Either way, 
the requestor isn't going to get any useful information back. Either 
way, if someone is so incompetent or malicious as to delegate a zone to 
your nameservers, for which you are non-authoritative/lame, then any 
reasonable caching resolver following that lame delegation is going to 
mark you as lame for the zone regardless of whether the response is 
REFUSED or an upwards referral.

In theory, REFUSED might save you a few octets in your responses, but 
probably not enough to make any significant difference in your network 
traffic. On the downside, REFUSED might possibly -- again, in _theory_ 
-- heighten curiosity and thus increase the incidence of probing (they 
might think you have a *real* example.com zone defined, with sensitive 
information in it, and you're just blocking their particular address 
range from querying it).

Again, I don't think it really matters much...

                                                                         
                           - Kevin

Chris Thompson wrote:
> The scenario is a nameserver with "recursion no" in options and
> each zone  statement having its own explicit "allow-query" setting
> (mostly "any"). This is intended only as an authoritative server
> for a number of zones.
>
> Question: what is the best setting for "allow-query" in options,
> which applies only to queries not in any of those zones? Or perhaps
> better, what are the pros and cons of "allow-query {none;};" versus
> "allow-query {any;};" in this context? Is it better to reply REFUSED
> or to give a referral to the root nameservers? (I suppose one should
> also distinguish between "better for us" and "better for them".)
>
> To be honest, not _quite_ all the zones have their own allow-query
> in the case I am thinking of. "localhost", "0.0.127.in-addr.arpa",
> etc. inherit the setting from options.
>
> BIND 9.3.4 incidentally, so allow-query-cache not relevant yet.
>
>   



More information about the bind-users mailing list