Best allow-query setting on an authoritative-only nameserver
Kevin Darcy
kcd at daimlerchrysler.com
Tue Apr 3 23:48:32 UTC 2007
Ronan Flood wrote:
> On 03 Apr 2007 00:30:51 +0100,
> Chris Thompson <cet1 at hermes.cam.ac.uk> wrote:
>
>
>> better, what are the pros and cons of "allow-query {none;};" versus
>> "allow-query {any;};" in this context? Is it better to reply REFUSED
>> or to give a referral to the root nameservers? (I suppose one should
>> also distinguish between "better for us" and "better for them".)
>>
>
> There's the possibility of data amplification in a DoS attack with a
> spoofed source address. REFUSED should be the same size as the query,
> but a root referral might be much larger -- just trying it now using
> "dig @ip . ns", the REFUSED is 17 bytes, the referral is more than
> twenty times that size
>
Hmmm... A 20-to-1 ratio doesn't exactly make one a prime target for DoS
amplification. Not when there are folks who seem to have confused DNS
with a generic information repository and have 4Kb+ TXT-record responses
available from publically-querieable zones.
- Kevin
More information about the bind-users
mailing list